Cyber Posture

CVE-2025-23519

High

Published: 03 March 2025

Published
03 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0023 45.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23519 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 45.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Spearphishing Link (T1566.002) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

SI-2 mandates remediation of the specific Reflected XSS flaw in G Web Pro Store Locator plugin versions through <=2.0.1 by applying patches or updates.

SI-15 Information Output Filtering good match
prevent

SI-15 filters information output during web page generation in the store locator plugin to neutralize reflected malicious scripts and prevent execution in victims' browsers.

SI-10 Information Input Validation good match
prevent

SI-10 validates inputs to the G Web Pro Store Locator plugin, blocking malicious payloads that could be reflected as XSS in generated web pages.

MITRE ATT&CK Enterprise TechniquesAI

T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
attack.mitre.org →
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
attack.mitre.org →
Why these techniques?

Reflected XSS enables exploitation via crafted malicious links to trigger browser script execution (T1566.002) for impacts including session token exfiltration (T1539).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jas Saran G Web Pro Store Locator gwebpro-store-locator allows Reflected XSS.This issue affects G Web Pro Store Locator: from n/a through <= 2.0.1.

Deeper analysisAI

CVE-2025-23519 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the WordPress plugin G Web Pro Store Locator (gwebpro-store-locator) developed by Jas Saran. The issue impacts all versions from n/a through 2.0.1 inclusive. Published on 2025-03-03, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility and scope change.

Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity by tricking users into interacting with a maliciously crafted link or input reflected in the web page. Successful exploitation executes arbitrary scripts in the victim's browser context, enabling low-level impacts such as limited data exfiltration (e.g., session tokens), page manipulation, or minor denial of service within the changed scope.

The Patchstack advisory documents the Reflected XSS vulnerability specifically in G Web Pro Store Locator plugin version 2.0.1 and earlier for WordPress, highlighting the affected component and providing details on the issue.

Details

CWE(s)
CWE-79

CVEs Like This One

CVE-2025-25133Shared CWE-79
CVE-2025-25090Shared CWE-79
CVE-2025-23441Shared CWE-79
CVE-2025-23545Shared CWE-79
CVE-2025-23753Shared CWE-79
CVE-2025-23593Shared CWE-79
CVE-2026-28110Shared CWE-79
CVE-2026-23973Shared CWE-79
CVE-2025-22760Shared CWE-79
CVE-2026-22256Shared CWE-79

References