CVE-2025-25161

CVE-2025-25161 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-Site Scripting (XSS) under CWE-79, affecting the WP Find Your Nearest WordPress plugin developed by SocialEvolution. The issue impacts all versions of the plugin up to and including 0.3.1, with no lower bound specified. Published on March 3, 2025, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, user interaction dependency, and changed scope.

Remote attackers without authentication can exploit this reflected XSS flaw by crafting malicious links or inputs that, when interacted with by a victim user (such as clicking a link or submitting a form), inject and execute arbitrary JavaScript in the victim's browser context. Successful exploitation enables limited impacts, including low-level disclosure of sensitive data (e.g., cookies or session tokens), minor data modification, and negligible denial of service, all within the scope of the compromised site.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-find-your-nearest/vulnerability/wordpress-globalquran-plugin-1-0-csrf-to-settings-change-vulnerability-2?_s_id=cve provides details on the vulnerability, recommending mitigation through updating to a patched version of the WP Find Your Nearest plugin where available or removing the plugin if no update exists. Security practitioners should scan environments for vulnerable installations and apply defenses like Content Security Policy (CSP) to reduce XSS risks in the interim.