CVE-2025-24745 Overview
CVE-2025-24745 is a reflected Cross-Site Scripting (XSS) vulnerability in the RadiusTheme Classified Listing plugin for WordPress. The flaw stems from improper neutralization of user input during web page generation [CWE-79]. Attackers can craft malicious URLs that, when clicked by a victim, execute arbitrary JavaScript in the victim's browser session. The vulnerability affects all versions of Classified Listing up to and including 4.0.1. Successful exploitation can lead to session theft, credential harvesting, redirection to attacker-controlled infrastructure, and unauthorized actions performed in the context of the targeted user.
Critical Impact
Reflected XSS with a changed security scope allows attackers to execute scripts that affect resources beyond the vulnerable component, including authenticated WordPress sessions.
Affected Products
- RadiusTheme Classified Listing plugin for WordPress
- All versions from initial release through 4.0.1
- WordPress sites that have the plugin installed and active
Discovery Timeline
- 2025-04-17 - CVE-2025-24745 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-24745
Vulnerability Analysis
The vulnerability is a reflected XSS issue in the Classified Listing plugin. User-supplied input is reflected back into HTML responses without proper output encoding or sanitization. An attacker delivers the malicious payload through a crafted link, typically via phishing email, malicious advertisement, or social media. When a victim visits the link, the browser renders the injected script in the context of the vulnerable WordPress site.
Because the vulnerability has a changed scope, injected script can affect resources outside the vulnerable plugin. This includes cookies, tokens, and DOM elements belonging to the broader WordPress site. The impact extends to confidentiality, integrity, and availability of the user's session, though each at limited severity.
Root Cause
The root cause is the failure to neutralize special characters in input that is later embedded into generated web pages. The plugin does not apply WordPress sanitization helpers such as esc_html(), esc_attr(), or wp_kses() on parameters that flow into rendered output. Refer to the Patchstack WordPress Vulnerability Report for additional technical context.
Attack Vector
Exploitation requires user interaction. The attacker crafts a URL containing an XSS payload in a vulnerable parameter handled by the Classified Listing plugin. The victim must click the link while browsing the targeted WordPress site. No authentication is required by the attacker. Once executed, the payload runs with the privileges of the victim's current session and can exfiltrate session cookies, inject phishing forms, or pivot to administrative actions if the victim holds elevated roles.
Detection Methods for CVE-2025-24745
Indicators of Compromise
- Inbound HTTP requests to Classified Listing plugin endpoints containing <script>, javascript:, onerror=, or URL-encoded equivalents such as %3Cscript%3E.
- Web server access logs showing unusually long query strings or encoded HTML entities targeting plugin parameters.
- Outbound browser requests from authenticated users to unfamiliar domains immediately after visiting Classified Listing pages.
Detection Strategies
- Deploy a Web Application Firewall (WAF) with rule sets that identify reflected XSS patterns in query parameters and form fields.
- Review WordPress access logs for HTTP requests to plugin routes containing suspicious script tags or event handlers.
- Implement a strict Content Security Policy (CSP) and monitor report-uri violations for inline script execution attempts.
Monitoring Recommendations
- Alert on POST and GET requests targeting Classified Listing endpoints with payloads matching common XSS signatures.
- Track administrator and editor account activity for anomalous session reuse, IP changes, or unexpected privilege changes.
- Monitor outbound traffic from web servers to identify exfiltration of cookies or tokens via attacker-controlled domains.
How to Mitigate CVE-2025-24745
Immediate Actions Required
- Update the Classified Listing plugin to a version higher than 4.0.1 once the vendor publishes a patched release.
- If no patch is available, deactivate and remove the plugin from production WordPress installations.
- Rotate WordPress administrator and editor credentials and invalidate active sessions to limit post-exploitation reuse.
Patch Information
The vulnerability affects Classified Listing versions up to and including 4.0.1. Administrators should consult the Patchstack WordPress Vulnerability Report and the WordPress plugin repository for the latest fixed release. Apply the update across all environments after validating in staging.
Workarounds
- Deploy a WAF rule that blocks requests containing <script>, javascript:, and common event handler attributes targeting Classified Listing parameters.
- Enforce a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins.
- Restrict access to Classified Listing pages to authenticated users where business requirements allow, reducing exposure to unauthenticated visitors.
# Configuration example: Apache mod_security rule to block reflected XSS payloads
SecRule ARGS "@rx (?i)(<script|javascript:|onerror=|onload=)" \
"id:1024745,phase:2,deny,status:403,msg:'Potential XSS targeting Classified Listing (CVE-2025-24745)'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
