Skip to main content

WP Find Your Nearest CVE-2025-25161

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 01:14 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP Find Your Nearest allows Reflected XSS. This issue affects WP Find Your Nearest: from n/a through 0.3.1.

AnalysisAI

Reflected cross-site scripting in WP Find Your Nearest WordPress plugin versions up to 0.3.1 allows remote attackers to execute malicious JavaScript in victim browsers via crafted URLs. The vulnerability enables attackers to steal session cookies, perform actions as the victim, or deliver malware, provided the victim clicks a malicious link. EPSS score of 0.09% suggests low current exploitation probability, and no active exploitation or public proof-of-concept has been identified at time of analysis.

Technical ContextAI

WP Find Your Nearest is a WordPress plugin for location-based services. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-supplied input parameters in HTTP requests are not properly sanitized or encoded before being reflected in HTML responses. In WordPress plugins, this typically occurs when GET or POST parameters are directly echoed into page output without using WordPress escaping functions like esc_html(), esc_attr(), or esc_js(). The CVSS scope change (S:C) indicates the vulnerable component (the plugin) operates under different privileges than the victim's browser context, allowing JavaScript execution in the user's session domain.

Affected ProductsAI

WordPress plugin WP Find Your Nearest versions from earliest release through 0.3.1 are confirmed vulnerable per Patchstack advisory. The vulnerability affects all installations of these versions regardless of configuration. WordPress core is not affected - only sites with this specific plugin installed and activated are at risk. Patchstack database references are available at https://patchstack.com/database/wordpress/plugin/wp-find-your-nearest/vulnerability/wordpress-globalquran-plugin-1-0-csrf-to-settings-change-vulnerability-2?_s_id=cve

RemediationAI

Upgrade WP Find Your Nearest plugin to version 0.3.2 or later if available from the WordPress plugin repository or vendor. Verify the patch by checking the plugin changelog for XSS fixes affecting input sanitization. Until patching, implement defense-in-depth measures: configure Content Security Policy headers to restrict inline JavaScript execution (note: may break legitimate plugin functionality), train administrative users to avoid clicking untrusted links while logged into WordPress, and consider temporarily disabling the plugin if location search features are non-critical. Monitor WordPress admin access logs for suspicious activity. Vendor advisory and technical details available at https://patchstack.com/database/wordpress/plugin/wp-find-your-nearest/vulnerability/wordpress-globalquran-plugin-1-0-csrf-to-settings-change-vulnerability-2?_s_id=cve

Share

CVE-2025-25161 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy