WP Find Your Nearest CVE-2025-25161
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP Find Your Nearest allows Reflected XSS. This issue affects WP Find Your Nearest: from n/a through 0.3.1.
AnalysisAI
Reflected cross-site scripting in WP Find Your Nearest WordPress plugin versions up to 0.3.1 allows remote attackers to execute malicious JavaScript in victim browsers via crafted URLs. The vulnerability enables attackers to steal session cookies, perform actions as the victim, or deliver malware, provided the victim clicks a malicious link. EPSS score of 0.09% suggests low current exploitation probability, and no active exploitation or public proof-of-concept has been identified at time of analysis.
Technical ContextAI
WP Find Your Nearest is a WordPress plugin for location-based services. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-supplied input parameters in HTTP requests are not properly sanitized or encoded before being reflected in HTML responses. In WordPress plugins, this typically occurs when GET or POST parameters are directly echoed into page output without using WordPress escaping functions like esc_html(), esc_attr(), or esc_js(). The CVSS scope change (S:C) indicates the vulnerable component (the plugin) operates under different privileges than the victim's browser context, allowing JavaScript execution in the user's session domain.
Affected ProductsAI
WordPress plugin WP Find Your Nearest versions from earliest release through 0.3.1 are confirmed vulnerable per Patchstack advisory. The vulnerability affects all installations of these versions regardless of configuration. WordPress core is not affected - only sites with this specific plugin installed and activated are at risk. Patchstack database references are available at https://patchstack.com/database/wordpress/plugin/wp-find-your-nearest/vulnerability/wordpress-globalquran-plugin-1-0-csrf-to-settings-change-vulnerability-2?_s_id=cve
RemediationAI
Upgrade WP Find Your Nearest plugin to version 0.3.2 or later if available from the WordPress plugin repository or vendor. Verify the patch by checking the plugin changelog for XSS fixes affecting input sanitization. Until patching, implement defense-in-depth measures: configure Content Security Policy headers to restrict inline JavaScript execution (note: may break legitimate plugin functionality), train administrative users to avoid clicking untrusted links while logged into WordPress, and consider temporarily disabling the plugin if location search features are non-critical. Monitor WordPress admin access logs for suspicious activity. Vendor advisory and technical details available at https://patchstack.com/database/wordpress/plugin/wp-find-your-nearest/vulnerability/wordpress-globalquran-plugin-1-0-csrf-to-settings-change-vulnerability-2?_s_id=cve
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today