CVE-2025-24558: CRM Perks Support-X XSS Vulnerability

CVE-2025-24558 Overview

CVE-2025-24558 is a reflected cross-site scripting (XSS) vulnerability in the CRM Perks support-x WordPress plugin. The flaw stems from improper neutralization of user-supplied input during web page generation [CWE-79]. Affected versions include all releases up to and including 1.1.5. Attackers can craft malicious URLs that execute arbitrary JavaScript in the victim's browser when the link is clicked. Exploitation requires user interaction but no authentication, and it can affect resources beyond the vulnerable component's security scope. Successful attacks may lead to session theft, credential harvesting, or unauthorized actions performed in the context of the victim.

Critical Impact

Unauthenticated attackers can execute arbitrary JavaScript in a victim's browser session by tricking them into clicking a crafted URL, potentially compromising WordPress administrator accounts.

Affected Products

• CRM Perks support-x WordPress plugin versions up to and including 1.1.5
• WordPress sites with the vulnerable plugin installed and activated
• Administrative users and visitors interacting with crafted links targeting affected endpoints

Discovery Timeline

• 2025-02-14 - CVE-2025-24558 published to NVD
• 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-24558

Vulnerability Analysis

The support-x plugin from CRM Perks fails to properly sanitize and encode input that is reflected back into HTTP responses. When a victim loads a URL containing attacker-controlled parameters, the unsanitized values are rendered directly into the resulting HTML page. The browser then executes any embedded script payload in the security context of the WordPress site.

Because the issue is a reflected XSS variant, the malicious payload is not stored on the server. Instead, it travels through the request and response cycle of a single victim interaction. The vulnerability also carries a scope change, meaning the executed script can affect components beyond the vulnerable plugin itself, including other plugins, the WordPress core interface, and authenticated administrator sessions.

Root Cause

The root cause is missing output encoding and input validation on user-controlled request parameters processed by the plugin. Developer-supplied data is concatenated into HTML output without escaping characters such as <, >, ", and '. This violates the secure coding practice of context-aware output encoding required by WordPress plugin standards.

Attack Vector

An attacker constructs a URL targeting a vulnerable plugin endpoint and embeds a JavaScript payload within a reflected parameter. The attacker delivers the link through phishing emails, social media, malicious advertisements, or compromised third-party sites. When an authenticated WordPress administrator clicks the link, the payload executes in their browser. The attacker can then steal session cookies, perform authenticated actions via the WordPress REST API, inject persistent backdoors, or pivot to administrative account takeover. For full technical details, see the Patchstack Vulnerability Report.

Detection Methods for CVE-2025-24558

Indicators of Compromise

• HTTP requests to support-x plugin endpoints containing URL-encoded <script>, javascript:, onerror=, or onload= payloads in query parameters
• Referer headers from external phishing domains preceding WordPress admin session activity
• Unexpected creation of WordPress administrator accounts or modifications to user roles shortly after admin browser activity
• Outbound requests from administrator browsers to attacker-controlled domains immediately following plugin URL visits

Detection Strategies

• Inspect web server access logs for query strings containing HTML or JavaScript metacharacters targeting plugin paths
• Deploy a web application firewall (WAF) with rules that detect reflected XSS payload patterns in inbound requests
• Monitor WordPress audit logs for privileged actions originating from sessions immediately after suspicious referer activity
• Use browser-side Content Security Policy (CSP) violation reports to identify attempts to load inline or external scripts

Monitoring Recommendations

• Enable verbose request logging for the wp-content/plugins/support-x/ path and review for anomalous parameters
• Alert on outbound traffic from WordPress administrator hosts to newly registered or low-reputation domains
• Continuously inventory installed WordPress plugins and their versions to surface vulnerable instances of support-x at or below 1.1.5

How to Mitigate CVE-2025-24558

Immediate Actions Required

• Identify all WordPress sites running the CRM Perks support-x plugin at version 1.1.5 or earlier
• Deactivate and remove the plugin until a patched version is confirmed available from the vendor
• Force a password reset and re-authentication for all WordPress administrator accounts that may have visited untrusted links
• Review WordPress user, role, and option tables for unauthorized changes

Patch Information

At the time of NVD publication, the advisory indicates affected versions range up to and including 1.1.5. Administrators should consult the Patchstack Vulnerability Report and the CRM Perks vendor channel for the latest fixed release, and update immediately once available.

Workarounds

• Deploy WAF signatures that block reflected XSS payloads targeting the support-x plugin endpoints
• Apply a strict Content Security Policy on the WordPress site to restrict inline script execution and limit script sources
• Restrict access to the WordPress administrative interface by IP allowlist or VPN to reduce phishing exposure
• Train administrators to avoid clicking unsolicited links and to authenticate to WordPress only from trusted sessions

# Example: identify vulnerable support-x installations across hosted WordPress sites
find /var/www -type f -path '*/plugins/support-x/*' -name '*.php' \
  -exec grep -H -E "Version:\s*1\.(0|1)\.[0-5]?$" {} \;

# Disable the plugin via WP-CLI until a fix is applied
wp plugin deactivate support-x --all