CVE-2025-23519
Published: 03 March 2025
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jas Saran G Web Pro Store Locator gwebpro-store-locator allows Reflected XSS.This issue affects G Web Pro Store Locator: from n/a through <= 2.0.1.
Security Summary
CVE-2025-23519 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the WordPress plugin G Web Pro Store Locator (gwebpro-store-locator) developed by Jas Saran. The issue impacts all versions from n/a through 2.0.1 inclusive. Published on 2025-03-03, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility and scope change.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity by tricking users into interacting with a maliciously crafted link or input reflected in the web page. Successful exploitation executes arbitrary scripts in the victim's browser context, enabling low-level impacts such as limited data exfiltration (e.g., session tokens), page manipulation, or minor denial of service within the changed scope.
The Patchstack advisory documents the Reflected XSS vulnerability specifically in G Web Pro Store Locator plugin version 2.0.1 and earlier for WordPress, highlighting the affected component and providing details on the issue.
Details
- CWE(s)