CVE-2025-24756: 
WordPress vulnerability analysis and mitigation

Cross-Site Request Forgery (CSRF) vulnerability was discovered in mgplugin Roi Calculator WordPress plugin that allows Stored XSS. The vulnerability affects versions up to 1.0 of the Roi Calculator plugin. The issue was reported on October 9, 2024, and publicly disclosed on January 24, 2025 (Patchstack).

The vulnerability has been assigned a CVSS severity score of 7.1 (Low). The issue is classified under the OWASP Top 10 category A1: Broken Access Control. The vulnerability allows Cross-Site Request Forgery (CSRF) attacks that can lead to Stored XSS. The vulnerability can be exploited without authentication (Patchstack).

This vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. The combination of CSRF leading to Stored XSS could potentially lead to persistent attacks against site administrators (Patchstack).

The vulnerability has been fixed in version 1.1 of the Roi Calculator plugin. Users are advised to update to version 1.1 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins to ensure automatic remediation (Patchstack).