CVE-2025-27351

Vulnerability

Description The Local Search SEO Contact Page plugin for WordPress (versions up to and including 4.0.1) contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an authenticated attacker with sufficient privileges to inject arbitrary web scripts or HTML into the plugin's pages [1].

Exploitation

Mechanism To exploit this vulnerability, an attacker must have a privileged role (such as an editor or administrator) that can submit or save data handled by the plugin [1]. The injected malicious payload is stored on the server and automatically executed when other users, including site visitors, access the affected page [1]. No direct user interaction beyond visiting the compromised page is required for the stored script to run.

Impact

Successful exploitation enables the attacker to perform actions in the context of the victim's browser, such as redirecting visitors to malicious sites, displaying unwanted advertisements, or stealing session cookies and other sensitive information [1]. This type of vulnerability is frequently used in mass-exploit campaigns targeting thousands of WordPress sites simultaneously, regardless of size or popularity [1].

Mitigation

The vulnerability has been addressed in a patched version of the plugin. Users are strongly advised to update the Local Search SEO Contact Page plugin to the latest available version immediately [1]. If updating is not possible, site administrators should contact their hosting provider or web developer for assistance with alternative mitigation measures [1].