CVE-2025-49413

The vulnerability is a reflected cross-site scripting (XSS) flaw in the Super Store Finder WordPress plugin by highwarden. Versions up to and including 7.6 are affected. The root cause is improper neutralization of user-supplied input during web page generation, which allows an attacker to inject arbitrary HTML or JavaScript into a page generated by the plugin [1].

To exploit this, an attacker must trick a privileged user (e.g., an administrator) into interacting with a crafted link or visiting a maliciously crafted page. Since the XSS is reflected, the payload is not stored on the server but is delivered via a request and reflected back in the response. The attacker does not require authentication, but the victim must be logged in and perform the action [1].

Successful exploitation enables the attacker to execute scripts in the context of the victim's browser session. This can be used to redirect visitors, display advertisements, or perform other actions such as stealing session cookies or modifying page content. The CVSS score is 7.1, indicating high severity [1].

The vulnerability has been patched in version 7.7 of the plugin. Users are strongly advised to update immediately. For those unable to update, Patchstack offers a mitigation rule to block attacks until an update is applied. Since this type of vulnerability is commonly used in mass-exploit campaigns, prompt remediation is recommended [1].