CVE-2025-58886

The Instant Locations plugin for WordPress (versions up to and including 1.0) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This flaw allows an attacker to inject arbitrary HTML and JavaScript code that is stored on the server and later executed in the browsers of visitors.

Exploitation requires a privileged user (such as an administrator) to perform an action—for example, clicking a malicious link or submitting a crafted form—that triggers the stored payload. Once triggered, the injected script becomes active for all subsequent site visitors. The vulnerability is particularly dangerous because it can be leveraged in mass-exploit campaigns targeting thousands of WordPress sites simultaneously, regardless of their size or popularity [1].

A successful attack enables the injection of malicious scripts that can perform redirects, display advertisements, steal session cookies, or deliver other HTML payloads. This compromises the integrity of the affected website and can harm its visitors by exposing them to phishing or malware distribution [1].

As an immediate mitigation, users should update the Instant Locations plugin to a patched version if one becomes available. If updating is not possible, it is recommended to contact the hosting provider or a web developer for assistance. No workaround details are provided in the advisory, so the safest course is to disable the plugin until a fix is applied [1].