Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kyle Phillips Simple Locator simple-locator allows Reflected XSS.This issue affects Simple Locator: from n/a through <= 2.0.4.
Published: 2025-01-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation, classified as a reflected cross‑site scripting flaw. When an attacker manipulates a URL or form field that is returned to the user without proper encoding, malicious JavaScript can run in the victim’s browser. This can enable credential theft, session hijack, or other client‑side attacks. The weakness is a classic input validation failure identified as CWE‑79.

Affected Systems

All installations of Kyle Phillips’ Simple Locator plugin for WordPress that are at or below version 2.0.4 are vulnerable. The plugin can be present on any WordPress site that has opted to use the locator feature, potentially affecting a broad swath of public websites.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact if exploited. The EPSS score of less than 1% suggests that, at the time of analysis, exploitation attempts are rare, and the vulnerability is not currently listed in CISA’s KEV database. Attackers could execute the flaw through unauthenticated requests to the plugin’s endpoint, leveraging reflected XSS to inject malicious scripts into users’ browsers. The relatively low EPSS and absence from KEV imply that while the risk is real, immediate exploitation activity is unlikely. However, the high CVSS warrants proactive mitigation.

Generated by OpenCVE AI on May 1, 2026 at 18:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Simple Locator plugin to the latest release, which includes proper input sanitization for all user‑supplied fields.
  • If an update is not immediately available, permanently disable or uninstall the Simple Locator plugin to eliminate the attack surface.
  • Deploy a Web Application Firewall or use a content‑filtering plugin to escape special characters in outbound responses, mitigating reflected XSS even if the plugin remains in use.
  • Conduct a periodic scan of the WordPress installation for leftover or hidden plugin files and update associated components to reduce overall risk.

Generated by OpenCVE AI on May 1, 2026 at 18:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2793 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Simple Locator allows Reflected XSS. This issue affects Simple Locator: from n/a through 2.0.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Simple Locator allows Reflected XSS. This issue affects Simple Locator: from n/a through 2.0.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kyle Phillips Simple Locator simple-locator allows Reflected XSS.This issue affects Simple Locator: from n/a through <= 2.0.4.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 27 Jan 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Jan 2025 14:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Simple Locator allows Reflected XSS. This issue affects Simple Locator: from n/a through 2.0.4.
Title WordPress Simple Locator Plugin <= 2.0.4 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:00.631Z

Reserved: 2025-01-07T10:22:41.466Z

Link: CVE-2025-22513

cve-icon Vulnrichment

Updated: 2025-01-27T14:23:39.714Z

cve-icon NVD

Status : Deferred

Published: 2025-01-27T14:15:28.233

Modified: 2026-06-17T08:47:54.110

Link: CVE-2025-22513

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T18:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')