CVE-2025-24576 Overview
CVE-2025-24576 is a reflected cross-site scripting (XSS) vulnerability in the fatcatapps Landing Page Cat WordPress plugin. The flaw affects all versions of landing-page-cat up to and including 1.7.7. The vulnerability stems from improper neutralization of user-supplied input during web page generation, classified under [CWE-79].
Attackers can craft malicious URLs that execute arbitrary JavaScript in a victim's browser when the victim clicks the link. Successful exploitation requires user interaction but no authentication. The scope-changed nature of the issue means injected scripts can affect resources beyond the vulnerable component.
Critical Impact
Attackers can execute arbitrary JavaScript in victim browsers, enabling session theft, credential harvesting, and unauthorized actions on behalf of authenticated WordPress users.
Affected Products
- fatcatapps Landing Page Cat plugin for WordPress
- All versions through 1.7.7
- WordPress sites with the landing-page-cat plugin installed and active
Discovery Timeline
- 2025-02-03 - CVE-2025-24576 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-24576
Vulnerability Analysis
The Landing Page Cat plugin fails to sanitize user-controllable input before reflecting it into rendered HTML output. This is a classic reflected XSS pattern where input arrives in an HTTP request parameter and gets echoed back in the response without proper encoding. The vulnerability requires victim interaction, typically by clicking a crafted link.
Because the scope changes during exploitation, injected JavaScript can interact with resources outside the vulnerable plugin context. This includes the broader WordPress admin session if an authenticated administrator triggers the payload. Attackers gain low-impact reads, writes, and availability disruption on confidentiality, integrity, and availability dimensions.
Root Cause
The root cause is missing output encoding and input validation in request handlers within the landing-page-cat plugin. User-supplied parameters are concatenated into HTML responses without HTML entity encoding or contextual escaping. WordPress provides functions like esc_html(), esc_attr(), and wp_kses() that the plugin did not apply consistently to tainted data flows.
Attack Vector
Exploitation occurs over the network. An attacker crafts a URL containing a JavaScript payload as a query parameter pointed at a vulnerable Landing Page Cat endpoint. The attacker distributes the link through phishing emails, social media, or compromised sites. When a victim clicks the link, the plugin reflects the payload into the response, and the browser executes it under the target site's origin.
The vulnerability mechanism is described in the Patchstack advisory for Landing Page Cat. No verified proof-of-concept code has been published, and the issue carries an EPSS probability of 0.044%.
Detection Methods for CVE-2025-24576
Indicators of Compromise
- HTTP requests to Landing Page Cat plugin endpoints containing <script>, javascript:, onerror=, or onload= tokens in query parameters
- URL-encoded payload variants such as %3Cscript%3E or %22%3E%3Csvg appearing in web server access logs
- Referrer headers from external phishing domains pointing at /wp-content/plugins/landing-page-cat/ paths
- Unexpected outbound requests from user browsers to attacker-controlled domains following plugin page visits
Detection Strategies
- Inspect web server and WAF logs for reflected XSS signatures targeting plugin parameters
- Deploy Content Security Policy (CSP) violation reporting to catch inline script execution attempts
- Monitor browser-side JavaScript errors and unexpected DOM modifications on pages served by the plugin
- Correlate spikes in 200-response traffic to plugin URLs with suspicious referrers or user agents
Monitoring Recommendations
- Enable WordPress audit logging to track plugin activity and administrator session anomalies
- Forward web server logs to a centralized SIEM with rules for common XSS payload patterns
- Alert on administrator account actions immediately following clicks on external links
- Periodically scan installed plugins against the WordPress vulnerability database for known issues
How to Mitigate CVE-2025-24576
Immediate Actions Required
- Identify all WordPress installations running landing-page-cat version 1.7.7 or earlier
- Deactivate the Landing Page Cat plugin until a patched version is installed
- Train administrators to avoid clicking unsolicited links pointing at their own WordPress domains
- Rotate WordPress administrator credentials if exploitation is suspected
Patch Information
At the time of NVD publication, the advisory identifies versions through 1.7.7 as vulnerable. Site operators should consult the Patchstack advisory and the plugin vendor's release notes for the latest fixed version, then upgrade through the WordPress plugin manager.
Workarounds
- Deploy a web application firewall rule blocking common XSS payloads on requests to plugin endpoints
- Apply a strict Content Security Policy that disallows inline scripts and untrusted script sources
- Restrict access to the plugin's pages using IP allowlists or authentication where feasible
- Remove the plugin entirely if it is not actively required for site functionality
# Example WAF rule fragment blocking script tags in query strings
SecRule ARGS "@rx (?i)(<script|javascript:|onerror=|onload=)" \
"id:1024576,phase:2,deny,status:403,msg:'Possible XSS targeting landing-page-cat (CVE-2025-24576)'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
