WP Geo plugin contains an improper neutralization of input flaw that allows stored cross‑site scripting. User‑supplied data entered via the plugin is written directly to the database and later rendered on web pages without encoding, so an attacker can inject malicious JavaScript that will execute in the browsers of anyone who views the affected content. This could lead to session hijacking, theft of credentials, defacement of the site, and distribution of malware to site visitors.

The affected product is the WP Geo plugin developed by Ben Huson, all releases from the original version through and including 3.5.1. Any WordPress installation that has this plugin installed and accessible to users is vulnerable. Sites that use the plugin to present location data or other user‑generated content should be evaluated for exposure.

The CVSS score is 6.5, indicating medium severity. The EPSS score is less than 1 %, implying a low probability of exploitation at this time. No KEV listing indicates it is not currently recognized as a widely exploited vulnerability. The likely attack vector is a remote web request to the plugin’s interface where malicious payloads can be submitted and stored, then later delivered to visitors through the plugin’s output rendering. Attackers need only craft an input that the plugin will persist and that will be displayed to other users, which suggests that authentication may not be required depending on the plugin’s configuration.