CVE-2025-25161
Published: 03 March 2025
Summary
CVE-2025-25161 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 42.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-25161 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-Site Scripting (XSS) under CWE-79, affecting the WP Find Your Nearest WordPress plugin developed by SocialEvolution. The issue impacts all versions of the plugin up to and including 0.3.1, with no lower bound specified. Published on March 3, 2025, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, user interaction dependency, and changed scope.
Remote attackers without authentication can exploit this reflected XSS flaw by crafting malicious links or inputs that, when interacted with by a victim user (such as clicking a link or submitting a form), inject and execute arbitrary JavaScript in the victim's browser context. Successful exploitation enables limited impacts, including low-level disclosure of sensitive data (e.g., cookies or session tokens), minor data modification, and negligible denial of service, all within the scope of the compromised site.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-find-your-nearest/vulnerability/wordpress-globalquran-plugin-1-0-csrf-to-settings-change-vulnerability-2?_s_id=cve provides details on the vulnerability, recommending mitigation through updating to a patched version of the WP Find Your Nearest plugin where available or removing the plugin if no update exists. Security practitioners should scan environments for vulnerable installations and apply defenses like Content Security Policy (CSP) to reduce XSS risks in the interim.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5644
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SocialEvolution WP Find Your Nearest wp-find-your-nearest allows Reflected XSS.This issue affects WP Find Your Nearest: from n/a through <= 0.3.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS enables arbitrary JS execution in browser via malicious links (T1203 Exploitation for Client Execution, T1204.001 Malicious Link) and directly facilitates theft of session cookies/tokens as described.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires identifying, reporting, and correcting the specific reflected XSS flaw in the WP Find Your Nearest plugin through patching or removal.
Mandates filtering information outputs to neutralize untrusted input during web page generation, preventing arbitrary JavaScript execution in reflected XSS attacks.
Requires validation of user inputs to block or sanitize malicious payloads that could be reflected as executable scripts in the victim's browser.