Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pierre Lannoy IP Locator ip-locator allows DOM-Based XSS.This issue affects IP Locator: from n/a through <= 4.1.0.
Published: 2025-03-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Pierre Lannoy IP Locator plugin exposes a DOM‑based XSS flaw due to improper neutralization of user input during web page generation. As a result, an attacker can inject malicious scripts that execute in the victim’s browser, enabling session hijacking, credential theft, defacement, or other browser‑side attacks. The weakness is a classic cross‑site scripting vulnerability, classified under CWE‑79.

Affected Systems

Any WordPress installation that has the IP Locator plugin version 4.1.0 or earlier is impacted. All releases prior to 4.1.0 are affected, including the initial release. Administrators should identify any such installations and evaluate their use of the plugin.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS < 1% suggests that currently the likelihood of exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw by delivering crafted input that the plugin processes client‑side, meaning any user who views the affected page could be compromised. The risk is moderate but the probable exploit rate remains low.

Generated by OpenCVE AI on May 1, 2026 at 03:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the IP Locator plugin to version 4.1.1 or later (or remove the plugin if it is no longer required).
  • Disable all input fields exposed by the plugin through the WordPress admin settings to prevent user data from being sent to the plugin.
  • Deploy a web application firewall or configure input sanitization rules that block script injection before it reaches client side processing.

Generated by OpenCVE AI on May 1, 2026 at 03:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8355 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pierre Lannoy IP Locator allows DOM-Based XSS. This issue affects IP Locator: from n/a through 4.1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pierre Lannoy IP Locator allows DOM-Based XSS. This issue affects IP Locator: from n/a through 4.1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pierre Lannoy IP Locator ip-locator allows DOM-Based XSS.This issue affects IP Locator: from n/a through <= 4.1.0.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Thu, 27 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pierre Lannoy IP Locator allows DOM-Based XSS. This issue affects IP Locator: from n/a through 4.1.0.
Title WordPress IP Locator plugin <= 4.1.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:58.115Z

Reserved: 2025-03-26T09:20:39.456Z

Link: CVE-2025-30826

cve-icon Vulnrichment

Updated: 2025-03-27T13:25:17.496Z

cve-icon NVD

Status : Deferred

Published: 2025-03-27T11:15:43.980

Modified: 2026-04-23T15:27:08.750

Link: CVE-2025-30826

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T04:00:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')