The WP Find Your Nearest plugin for WordPress contains an improper neutralization of user‑supplied input during page generation, resulting in a reflected Cross‑Site Scripting (XSS) vulnerability. An attacker could embed malicious JavaScript in URLs that the plugin reflects on its settings pages, allowing execution of arbitrary code in the browser of any user who views the affected page. The impact could subsequently include theft of authentication data or execution of additional payloads, though the description does not confirm these extensions. Rather, the vulnerability provides the capability for client‑side code execution and leaves the scope to the attacker’s objective.

Versions of the SocialEvolution WP Find Your Nearest plugin from the initial release through 0.3.1 are affected. Site administrators who have installed this plugin from WordPress.org or other sources may be exposed if the vulnerable version remains in use.

The CVSS score of 7.1 classifies the flaw as high severity. The EPSS score of less than 1% indicates that, at the time of assessment, exploitation is considered rare. The issue is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a malicious link that incorporates the vulnerable input; however, this is inferred rather than explicitly stated. No user authentication is required to trigger the vulnerability, meaning the attack can succeed against any user who visits the crafted URL.