CVE-2025-24676
Published: 03 February 2025
Summary
CVE-2025-24676 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 15.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-24676 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Custom WP Store Locator plugin (custom-store-locator) developed by umangmetatagg for WordPress. The issue affects all versions of the plugin from n/a through 1.4.7 inclusive. It was published on 2025-02-03 with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Attackers can exploit this vulnerability remotely over the network with low complexity and no privileges required, though it necessitates user interaction such as clicking a malicious link. With changed scope, exploitation enables low-level impacts on confidentiality, integrity, and availability, typically allowing execution of arbitrary scripts in the victim's browser context on the affected WordPress site.
The Patchstack advisory details this Cross-site Scripting vulnerability in Custom WP Store Locator version 1.4.7 and provides mitigation guidance, available at https://patchstack.com/database/Wordpress/Plugin/custom-store-locator/vulnerability/wordpress-custom-wp-store-locator-plugin-1-4-7-cross-site-scripting-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3870
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in umangmetatagg Custom WP Store Locator custom-store-locator allows Reflected XSS.This issue affects Custom WP Store Locator: from n/a through <= 1.4.7.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS vulnerability enables arbitrary JavaScript execution in the victim's browser when a user clicks a crafted malicious link to the vulnerable WordPress plugin page.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2025-24676 by requiring identification, reporting, and timely patching of the vulnerable Custom WP Store Locator plugin versions <=1.4.7.
Prevents reflected XSS exploitation by filtering and encoding plugin-generated web page outputs to neutralize injected scripts.
Addresses improper input neutralization in the plugin by validating user-supplied inputs at web entry points to block malicious XSS payloads.