CVE-2025-22513

The Simple Locator plugin for WordPress versions up to and including 2.0.4 contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw, classified under CWE-79, enables attackers to inject arbitrary HTML and JavaScript into the application's response.

Exploitation requires user interaction, such as clicking a malicious link or visiting a crafted page, but can be initiated by any visitor without prior authentication [1]. The attack vector is network-based with low complexity, making it accessible to remote attackers. Once the victim—typically a privileged user like an administrator—interacts with the crafted URL, the injected script executes in the context of the vulnerable site.

Successful exploitation could allow an attacker to perform actions such as redirecting users, injecting advertisements, stealing session cookies, or defacing the website. The CVSS v3 base score is 7.1 (High), indicating significant potential for harm [1].

As of the advisory, no official patch has been released, but users are strongly advised to update the plugin immediately when a patched version becomes available. In the meantime, a mitigation rule from Patchstack is available to block attacks until the fix can be applied [1].