CVE-2025-62904 identifies a stored Cross-site Scripting (XSS) vulnerability in the WP Geo plugin for WordPress, developed by Ben Huson. The flaw stems from improper neutralization of user-supplied input during the generation of web pages, allowing attackers to inject malicious scripts that are stored and later executed in the context of other users' browsers. This vulnerability affects all versions of WP Geo up to and including 3.5.1. The CVSS 3.1 base score is 5.4, indicating a medium severity level. The vector metrics specify that the attack can be performed remotely (AV:N) with low attack complexity (AC:L), but requires privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. The impact affects confidentiality and integrity to a limited extent (C:L, I:L), with no impact on availability (A:N). Stored XSS vulnerabilities can be exploited to steal session cookies, perform actions on behalf of users, or deliver further malware payloads. Although no known exploits are currently reported in the wild, the vulnerability poses a risk to websites using this plugin, especially those with multiple users or administrators. The lack of available patches at the time of publication necessitates immediate attention from administrators. The vulnerability was reserved and published in late October 2025 by Patchstack, a known vulnerability database and security provider.

For European organizations, especially those operating public-facing WordPress websites using the WP Geo plugin, this vulnerability presents a moderate risk. Successful exploitation could lead to unauthorized disclosure of sensitive information such as session tokens or user data, enabling further attacks like account takeover or privilege escalation. The integrity of website content could be compromised, potentially damaging organizational reputation and user trust. While availability is not directly impacted, the indirect effects of exploitation—such as defacement or phishing—could disrupt normal business operations. Organizations in sectors with stringent data protection regulations, such as finance, healthcare, and government, may face compliance risks if user data is exposed. The requirement for low privileges and user interaction means that internal users or contributors could inadvertently trigger exploitation, increasing the attack surface. Given the widespread use of WordPress across Europe, the potential impact is significant, particularly for SMEs and public institutions that may lack robust security monitoring.

1. Monitor official channels for the release of a security patch for WP Geo and apply it immediately upon availability. 2. Until a patch is available, restrict plugin usage to trusted users and limit the number of users with editing privileges to reduce the risk of malicious input. 3. Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting WP Geo endpoints. 4. Conduct regular security audits and code reviews of customizations involving WP Geo to identify and remediate unsafe input handling. 5. Employ Content Security Policy (CSP) headers to mitigate the impact of potential XSS by restricting script execution sources. 6. Educate users and administrators about the risks of clicking on suspicious links or interacting with untrusted content within the site. 7. Use security plugins that provide input sanitization and output encoding enhancements for WordPress. 8. Maintain regular backups of website data to enable recovery in case of compromise. 9. Monitor logs for unusual activity indicative of XSS exploitation attempts, such as unexpected script injections or anomalous user behavior.