cbcvebase.
CVE-2025-6200
published 2025-07-11

CVE-2025-6200: The GeoDirectory WordPress plugin before 2.8.120 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where…

PriorityP422medium5.9CVSS 3.1
AVNACLPRHUIRSCCLILAL
EPSS
0.21%
11.3th percentile
The GeoDirectory WordPress plugin before 2.8.120 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Affected

7 ranges
VendorProductVersion rangeFixed in
ayecodegeodirectory< 2.8.1202.8.120
msrcazl3_kernel_6.6.35.1-4_on_azure_linux_3.0
msrcazl3_kernel_6.6.92.2-1_on_azure_linux_3.0
msrccbl2_kernel_5.15.153.1-1_on_cbl_mariner_2.0
msrccbl2_kernel_5.15.180.1-1_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64

CVSS provenance

nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
vendor_msrc7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.