CVE-2025-25166
Published: 07 February 2025
Description
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
Security Summary
CVE-2025-25166 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in the InLocation WordPress plugin developed by gabrieldarezzo. The flaw affects InLocation versions from unknown initial release through 1.8 and enables Stored Cross-Site Scripting (XSS) via CSRF-protected endpoints.
With a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), the vulnerability is exploitable over the network by unauthenticated attackers requiring low complexity and user interaction. An attacker can lure authenticated users to a malicious site that forges a request to store an XSS payload, which executes in the browser context of subsequent users viewing affected content, enabling low-level impacts on confidentiality, integrity, and availability such as script injection or data exfiltration.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/inlocation/vulnerability/wordpress-inlocation-plugin-1-8-cross-site-scripting-xss-vulnerability?_s_id=cve provides details on the issue in the WordPress InLocation plugin version 1.8. Security practitioners should review this reference for recommended mitigations and patch information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF to stored XSS in public-facing WordPress plugin directly enables T1190 for exploitation; resulting persistent client-side script execution facilitates T1189 drive-by compromise on visitors.