CVE-2025-24676
Published: 03 February 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-24676 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Custom WP Store Locator plugin (custom-store-locator) developed by umangmetatagg for WordPress. The issue affects all versions of the plugin from n/a through 1.4.7 inclusive. It was published on 2025-02-03 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this vulnerability remotely over the network with low complexity and no privileges required, though it necessitates user interaction such as clicking a malicious link. With changed scope, exploitation enables low-level impacts on confidentiality, integrity, and availability, typically allowing execution of arbitrary scripts in the victim's browser context on the affected WordPress site.
The Patchstack advisory details this Cross-site Scripting vulnerability in Custom WP Store Locator version 1.4.7 and provides mitigation guidance, available at https://patchstack.com/database/Wordpress/Plugin/custom-store-locator/vulnerability/wordpress-custom-wp-store-locator-plugin-1-4-7-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS vulnerability enables arbitrary JavaScript execution in the victim's browser when a user clicks a crafted malicious link to the vulnerable WordPress plugin page.