CVE-2025-62904 identifies a stored Cross-site Scripting (XSS) vulnerability in the WP Geo plugin for WordPress, developed by Ben Huson. The vulnerability results from improper neutralization of user-supplied input during web page generation, which allows an attacker to inject malicious JavaScript code that is stored persistently and executed in the context of users visiting the affected pages. The flaw affects all versions of WP Geo up to and including 3.5.1. Exploitation requires the attacker to have at least limited privileges (PR:L) and user interaction (UI:R), such as tricking a user into visiting a crafted page or link. The vulnerability impacts confidentiality and integrity by enabling theft of session cookies, user credentials, or manipulation of displayed content, but does not affect availability. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, privileges required, user interaction needed, scope changed, and partial impact on confidentiality and integrity. No known public exploits exist yet, but the vulnerability is publicly disclosed and should be addressed promptly. The vulnerability is typical of stored XSS issues in WordPress plugins that insufficiently sanitize or encode input before rendering it in web pages, making it a critical concern for websites relying on WP Geo for geolocation features.

For European organizations, this vulnerability poses a risk primarily to websites using the WP Geo plugin on WordPress, which may include businesses offering location-based services, e-commerce, or content personalization. Exploitation could lead to session hijacking, unauthorized access to user accounts, defacement, or redirection to malicious sites, undermining user trust and potentially leading to data breaches. While availability is not impacted, the confidentiality and integrity of user data and site content can be compromised. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, may face compliance risks and reputational damage if exploited. The requirement for limited privileges and user interaction reduces the ease of exploitation but does not eliminate risk, especially in environments with many users or where attackers can gain initial access. The absence of known exploits currently provides a window for mitigation before active attacks emerge.

Organizations should monitor for and apply security updates from the WP Geo plugin developer as soon as patches become available. Until patched, administrators should consider disabling the plugin if feasible or restricting its use to trusted users only. Implementing Web Application Firewalls (WAFs) with rules to detect and block typical XSS payloads can reduce risk. Enforcing Content Security Policies (CSP) that restrict the execution of inline scripts and untrusted sources can mitigate the impact of injected scripts. Input validation and output encoding should be reviewed and enhanced in custom integrations or themes interacting with WP Geo data. Regular security audits and user privilege reviews can limit the potential for attackers to gain the necessary access to exploit this vulnerability. Educating users about phishing and social engineering risks can reduce the likelihood of successful user interaction exploitation.