WordPress Organici Library plugin <= 2.1.2 - Reflected Cross Site Scripting (XSS) vulnerability

An attacker could exploit this Reflected XSS vulnerability by crafting a malicious URL containing JavaScript code. When a user clicks on this URL, the injected script executes within their browser context, allowing the attacker to steal cookies, redirect the user to a phishing site, or deface the website. The impact is particularly severe if the website handles sensitive user data, as an attacker could potentially gain access to credentials or other confidential information. The blast radius extends to any user visiting a page containing the vulnerable Organici Library component, making it a widespread concern for WordPress sites utilizing this plugin.

WordPress websites utilizing the NooTheme Organici Library are at risk. Specifically, sites with user-facing input fields that are not properly sanitized are particularly vulnerable. Shared hosting environments where plugin updates are managed centrally may also be at increased risk if updates are not applied promptly.

• wordpress / composer / npm:

grep -r 'noo-organici-library' plugins/
wp plugin list | grep organici

• generic web:

curl -I 'https://example.com/?param=<script>alert(1)</script>' | grep Content-Security-Policy

1. 2026-03-25Disclosure

   disclosure

1. आरक्षित2026-01-28
2. प्रकाशित2026-03-25
3. संशोधित2026-04-28
4. EPSS अद्यतन2026-04-02

The primary mitigation for CVE-2026-24975 is to immediately upgrade the NooTheme Organici Library to version 2.1.3 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on user-supplied data to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly scan your WordPress site for vulnerable plugins using security scanning tools.