The G Web Pro Store Locator plugin from Jas Saran contains an improper neutralization of input during web page generation, allowing an attacker to inject malicious scripts that are reflected back to users who visit a crafted URL. The vulnerability is characterized as Cross‑Site Scripting (CWE‑79) and can lead to session hijacking, credential theft, or the execution of arbitrary code within the victim’s browser. The CVSS score of 7.1 indicates a high likelihood of exploitation, although the EPSS score of less than 1% suggests it is not a common target today. The flaw resides in the way the plugin processes parameters that are displayed on store locator pages.

Jas Saran G Web Pro Store Locator plugin, versions up to and including 2.0.1. Users running any installation of this plugin prior to version 2.0.2 are affected and should upgrade as soon as possible.

Based on the described behavior, an attacker can trigger the reflected XSS by embedding malicious script tags in query parameters or other data points that the plugin echoes without proper encoding. The low EPSS score indicates that exploitation is not widespread, and because the plugin likely runs on public websites, the impact could be community‑wide if a malicious link is distributed. The vulnerability does not appear in CISA’s KEV catalog, reducing the likelihood of a publicly‑known active exploit but still warrants immediate attention. The CVSS score underscores a high severity, requiring prompt mitigations.