CVE-2025-24680 identifies a reflected Cross-Site Scripting (XSS) vulnerability in the WPExperts.io WP Multistore Locator WordPress plugin, affecting all versions up to and including 2.4.7. The vulnerability stems from improper neutralization of script-related HTML tags in user-supplied input that is reflected back in web pages without adequate sanitization or encoding. This allows attackers to craft malicious URLs or input parameters that inject arbitrary JavaScript code into the victim's browser context when the URL is accessed. The reflected nature means the payload is not stored but delivered immediately in the HTTP response. Successful exploitation can lead to session hijacking, theft of cookies or credentials, defacement, or execution of unauthorized actions under the victim's privileges. The plugin is commonly used by WordPress sites to display multiple store locations, making it a target for attackers seeking to compromise e-commerce or business websites. No CVSS score has been assigned yet, and no public exploits are known. The vulnerability was published on January 27, 2025, with the issue reserved a few days earlier. No official patches or updates have been linked, so users must remain vigilant. The lack of authentication requirements and the ease of triggering the vulnerability via crafted URLs increase the risk. The vulnerability affects the confidentiality and integrity of user sessions and data, but does not directly impact availability. Given the widespread use of WordPress and this plugin in various countries, the threat has a broad potential impact.

The impact of CVE-2025-24680 is significant for organizations using the WP Multistore Locator plugin. Exploitation can lead to unauthorized script execution in users' browsers, enabling attackers to steal session cookies, credentials, or perform actions on behalf of authenticated users. This can result in account takeover, data leakage, and reputational damage. E-commerce and business websites relying on this plugin for location services may suffer customer trust loss and potential financial harm. Since the vulnerability is reflected XSS, attackers typically need to lure victims into clicking malicious links, which can be distributed via phishing or social engineering. The absence of known exploits in the wild reduces immediate risk but does not eliminate it, as proof-of-concept exploits may emerge. The vulnerability does not affect system availability directly but compromises confidentiality and integrity. Organizations with high web traffic and customer interaction are more exposed. The broad deployment of WordPress and this plugin globally means the potential attack surface is large, increasing the likelihood of targeted attacks.

To mitigate CVE-2025-24680, organizations should immediately monitor WPExperts.io for official patches or updates addressing this vulnerability and apply them as soon as they become available. In the interim, implement strict input validation and output encoding on all user-supplied data reflected in web pages, particularly parameters handled by the WP Multistore Locator plugin. Employ Web Application Firewalls (WAFs) with rules designed to detect and block reflected XSS payloads targeting this plugin. Educate users and administrators about the risks of clicking suspicious links to reduce successful phishing attempts. Consider temporarily disabling or replacing the plugin if patching is not immediately possible, especially on high-value or customer-facing sites. Conduct regular security assessments and penetration tests focusing on XSS vulnerabilities in web applications. Enable Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Monitor web server and application logs for unusual request patterns indicative of exploitation attempts. Finally, maintain up-to-date backups to facilitate recovery if an attack occurs.