Description
Cross-Site Request Forgery (CSRF) vulnerability in Store Locator Widgets Store Locator Widget store-locator-widget allows Stored XSS.This issue affects Store Locator Widget: from n/a through <= 2025r2.
Published: 2025-03-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cross‑Site Request Forgery in the Store Locator Widget plugin allows malicious data to be stored in the site’s database. When that data is rendered, the embedded JavaScript executes in the context of any visitor to the affected content, delivering attacker‑controlled code to all users who view the page. Based on the description, it is inferred that the attacker must forge a request on behalf of an authenticated user to inject the malicious data.

Affected Systems

The vulnerability applies to Store Locator Widget by Store Locator Widgets for all WordPress installations running version 2025r2 or earlier. No narrower version scope is defined by the vendor.

Risk and Exploitability

The CVSS base score is 7.1, indicating a high‑severity condition, while the EPSS score is below 1% and the issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack requires a logged‑in user to click a forged request, making it limited to social engineering or compromised credentials; once a malicious script is stored it can persistently affect every visitor who loads the compromised content.

Generated by OpenCVE AI on May 2, 2026 at 03:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Store Locator Widget to a version that fixes the CSRF and XSS issue (>=2025r3).
  • If an update is not available, disable or delete the plugin to eliminate the risk.
  • Restrict access to the plugin’s configuration pages so that only trusted administrators can edit settings.
  • Implement a strict Content Security Policy that blocks inline JavaScript and unsafe-eval to mitigate the impact of any stored XSS.

Generated by OpenCVE AI on May 2, 2026 at 03:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8299 Cross-Site Request Forgery (CSRF) vulnerability in Store Locator Widgets Store Locator Widget allows Stored XSS. This issue affects Store Locator Widget: from n/a through 20200131.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Store Locator Widgets Store Locator Widget allows Stored XSS. This issue affects Store Locator Widget: from n/a through 20200131. Cross-Site Request Forgery (CSRF) vulnerability in Store Locator Widgets Store Locator Widget store-locator-widget allows Stored XSS.This issue affects Store Locator Widget: from n/a through <= 2025r2.
Title WordPress Store Locator Widget plugin <= 20200131 - CSRF to Stored XSS vulnerability WordPress Store Locator Widget plugin <= 2025r2 - CSRF to Stored XSS vulnerability
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 27 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 11:00:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Store Locator Widgets Store Locator Widget allows Stored XSS. This issue affects Store Locator Widget: from n/a through 20200131.
Title WordPress Store Locator Widget plugin <= 20200131 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:00.911Z

Reserved: 2025-03-26T09:21:45.625Z

Link: CVE-2025-30919

cve-icon Vulnrichment

Updated: 2025-03-27T14:15:00.845Z

cve-icon NVD

Status : Deferred

Published: 2025-03-27T11:15:52.477

Modified: 2026-04-23T15:27:19.620

Link: CVE-2025-30919

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T03:15:06Z

Weaknesses