CVE-2025-24810: 
WordPress vulnerability analysis and mitigation

Cross-site scripting (XSS) vulnerability exists in Simple Image Sizes WordPress plugin versions 3.2.3 and earlier. The vulnerability was discovered on January 28, 2025, affecting installations where users have administrator-level privileges. This security issue impacts the plugin's settings screen functionality (JPCERT Report, NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) with a CVSS v3.0 base score of 4.8 (Medium), vector string: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The issue stems from insufficient input sanitization and output escaping in the admin settings interface. This vulnerability only affects multi-site installations and installations where unfiltered_html has been disabled (WPScan, JPCERT Report).

If exploited, this vulnerability allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts that execute when users access the affected pages. The impact is limited to users with administrative privileges accessing the settings screen (JPCERT Report).

Users are advised to update to Simple Image Sizes version 3.2.4, which contains the security fix for the image size name displayed in the media page. The update was released by the developer Rahe to address this vulnerability (WordPress Plugin).