CVE-2025-23519

The G Web Pro Store Locator plugin for WordPress, versions 2.0.1 and below, contains a reflected cross-site scripting (XSS) vulnerability. The plugin fails to properly neutralize input during web page generation, allowing unfiltered user-supplied data to be reflected back in the response [1]. This is a classic instance of improper input sanitization.

Exploitation requires user interaction, such as clicking a crafted link or visiting a maliciously formed page. While an attacker does not need authentication to deliver the link, the targeted user (typically an administrator or editor) must perform an action like clicking the link for the payload to execute [1]. The attack vector is reflected, meaning the malicious script is immediately executed in the victim's browser.

Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript into the victim's browser session. This can be leveraged to perform redirects, display advertisements, steal session tokens, or deface the site [1]. The impact is amplified in mass-exploit campaigns, where attackers target thousands of WordPress sites running the vulnerable plugin.

No official patch has been released as of the publication date. The vendor (Patchstack) offers a mitigation rule to block attacks until an update is available [1]. Users are strongly advised to update the plugin immediately when a patched version is released, or to contact their hosting provider for assistance. The vulnerability has a CVSS v3 score of 7.1 (High) and is listed as expected to be exploited.