What is CVE-2025-24673?

CVE-2025-24673 is a medium-severity stored XSS vulnerability affecting AyeCode Ketchup Shortcodes plugin versions up to 0.1.2. Immediate action is recommended to mitigate risks associated with this vulnerability.

What is the severity of CVE-2025-24673?

CVE-2025-24673 has a severity rating of MEDIUM with a CVSS base score of 6.5.

CVE-2025-24673 | Medium Vulnerability in AyeCode Ketchup Shortcodes

CVE-2025-24673 identifies a medium severity stored XSS vulnerability in the AyeCode Ketchup Shortcodes plugin, which affects versions up to 0.1.2. This vulnerability allows attackers to inject malicious scripts into web pages viewed by users, leading to potential unauthorized actions and data exposure. The CVSS score of 6.5 indicates a medium level of risk, necessitating prompt attention from organizations using the affected plugin.

The vulnerability is classified as 'Improper Neutralization of Script-Related HTML Tags in a Web Page' (CWE-80). This type of vulnerability can lead to serious security implications, particularly in web applications where user input is not adequately sanitized. Given the potential for exploitation, organizations should assess their use of the Ketchup Shortcodes plugin and take necessary actions.

Currently, there is no known public exploit for this vulnerability, and it is not flagged as actively exploited in the wild. However, its presence could still pose a risk if left unaddressed. Organizations should prioritize remediation efforts and apply any available patches as soon as possible.

Organizations should address this vulnerability to safeguard their web applications and user data. Immediate patching is advisable to eliminate the risk of exploitation through stored XSS attacks.

Vulnerability Details

CVE-2025-24673 describes an improper neutralization of script-related HTML tags in a web page, resulting in stored cross-site scripting (XSS) vulnerabilities within the AyeCode Ketchup Shortcodes plugin. Affected versions include those prior to 0.1.2. The vulnerability was published on January 24, 2025, and is associated with CWE-80.

Technical Analysis

The root cause of this vulnerability lies in the failure to properly sanitize user input, allowing malicious scripts to be stored and executed. The attack vector is network-based, requiring low attack complexity and low privileges. User interaction is necessary, as the victim must visit a page where the malicious script is executed.

The impacts of successful exploitation include low confidentiality, integrity, and availability impacts, but the potential for unauthorized actions and data exposure remains a significant concern.

Risk & Impact Analysis

Risk to organizations includes potential unauthorized access to user accounts and data through stored XSS attacks. The blast radius of this vulnerability can extend to all users of the affected plugin, creating a wide attack surface if not remediated. Organizations should assess their risk based on current deployments and prioritize the patching of this vulnerability, especially given its medium CVSS score.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The vulnerability affects all versions of Ketchup Shortcodes prior to 0.1.2. Organizations using this plugin should ensure they upgrade to the latest version to mitigate the associated risks.

Mitigation & Remediation

Organizations should prioritize upgrading to the patched version of the Ketchup Shortcodes plugin. If immediate patching is not possible, consider implementing input validation and output encoding measures to mitigate the risk of XSS. Additionally, organizations may benefit from conducting a security assessment to identify any other vulnerabilities within their web applications.

Detection Guidance

Monitor web application logs for suspicious activity related to script execution. Look for any unusual patterns or requests that could indicate an XSS attack, especially on pages where user input is accepted.

AppSecure Threat Intelligence Insight

The presence of CVE-2025-24673 highlights ongoing challenges in web application security, particularly with user input handling. Organizations should remain vigilant against XSS vulnerabilities and consider implementing comprehensive security testing practices. For more information on effective security measures, organizations can explore resources on penetration testing and other security assessments.

By maintaining a proactive approach to security and regularly updating software components, organizations can significantly reduce their risk exposure to vulnerabilities like CVE-2025-24673.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2025-24673: Medium Vulnerability in AyeCode Ketchup Shortcodes