CVE-2025-24575 - Vulnerability Details

- WordPress HelloAsso plugin <= 1.1.11 - Cross Site Scripting (XSS) vulnerability

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HelloAsso HelloAsso helloasso allows Stored XSS.This issue affects HelloAsso: from n/a through <= 1.1.11.

Published: 2025-01-24

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The HelloAsso "helloasso" plugin for WordPress contains an improper neutralization of user‑supplied input during page generation, allowing a stored cross‑site scripting (XSS) flaw. An attacker who can insert malicious scripts into the plugin’s input fields will cause them to be rendered unescaped in the browser of any visitor to the affected page, potentially enabling script execution in the victim’s browser.

Affected Systems

WordPress sites that run the HelloAsso "helloasso" plugin version 1.1.11 or earlier are affected. The issue is disclosed for all release versions up to and including 1.1.11, with no later versions identified as vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% reflects a very low probability of exploitation at the time of reporting. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via the plugin’s web interface, where the attacker must supply malicious input that the plugin stores and subsequently displays without proper encoding. Successful exploitation would result in arbitrary script execution on all browsers that view the affected page.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

HelloAsso

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.1.11

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the HelloAsso "helloasso" plugin to a version newer than 1.1.11 or uninstall the plugin if it is not required.
Enable or configure WordPress security plugins that filter and sanitize user input, ensuring output is properly escaped to prevent XSS.
Monitor web server logs for unexpected script injection attempts or abnormal POST requests to the plugin’s endpoints.

Generated by OpenCVE AI on May 2, 2026 at 09:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-3783	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HelloAsso HelloAsso allows Stored XSS. This issue affects HelloAsso: from n/a through 1.1.11.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0034.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/helloasso/vulnerability/wordpress-helloasso-plugin-1-1-11-cross-site-scripting-xss-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HelloAsso HelloAsso allows Stored XSS. This issue affects HelloAsso: from n/a through 1.1.11.	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HelloAsso HelloAsso helloasso allows Stored XSS.This issue affects HelloAsso: from n/a through <= 1.1.11.
References	https://patchstack.com/database/wordpress/plugin/helloasso/vulnerability/wordpress-helloasso-plugin-1-1-11-cross-site-scripting-xss-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/helloasso/vulnerability/wordpress-helloasso-plugin-1-1-11-cross-site-scripting-xss-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}`

Fri, 24 Jan 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 24 Jan 2025 17:30:00 +0000

Type	Values Removed	Values Added
Description		Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HelloAsso HelloAsso allows Stored XSS. This issue affects HelloAsso: from n/a through 1.1.11.
Title		WordPress HelloAsso plugin <= 1.1.11 - Cross Site Scripting (XSS) vulnerability
Weaknesses		CWE-79
References		https://patchstack.com/database/wordpress/plugin/helloasso/vulnerability/wordpress-helloasso-plugin-1-1-11-cross-site-scripting-xss-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-01-24T17:24:15.115Z

Updated: 2026-05-12T23:47:36.564Z

Reserved: 2025-01-23T14:50:41.360Z

Link: CVE-2025-24575

Vulnrichment

Updated: 2025-01-24T18:48:13.897Z

NVD

Status : Deferred

Published: 2025-01-24T18:15:34.793

Modified: 2026-06-17T08:59:15.247

Link: CVE-2025-24575

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T09:45:36Z

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object