CVE-2025-24680: 
WordPress vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in WP Multi Store Locator WordPress plugin, identified as CVE-2025-24680. The vulnerability affects versions through 2.4.7 and was disclosed on January 27, 2025. The issue specifically involves improper neutralization of script-related HTML tags in web pages, allowing for reflected XSS attacks (Patchstack, NVD).

The vulnerability is classified as a Basic XSS (CWE-80) issue, with a CVSS v3.1 base score of 6.1 (Medium) according to NVD, and 7.1 (High) according to Patchstack. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), needs no privileges (PR:N), and requires user interaction (UI:R) (NVD).

If exploited, this vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site (Patchstack).

The vulnerability has been fixed in version 2.5.1 of the WP Multi Store Locator plugin. Users are advised to update to version 2.5.1 or later immediately. For Patchstack users, a virtual patch has been issued to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).