CVE-2025-6200

CWE-79Cross-site Scripting (XSS)CWE-362Race Condition4 documents4 sources
Severity
5.9MEDIUM
EPSS
0.1%
top 81.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown GeodirectoryAyecode Geodirectory
Timeline
PublishedJul 11

Description

The GeoDirectory WordPress plugin before 2.8.120 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:LExploitability: 1.7 | Impact: 3.7

Affected Packages2 packages

CVEListV5unknown/geodirectory< 2.8.120
NVDayecode/geodirectory< 2.8.120

🔴Vulnerability Details

2
CVEList
GeoDirectory < 2.8.120 - Contributor+ Stored XSS2025-07-11
GHSA
GHSA-987q-rh8g-5x3f: The GeoDirectory WordPress plugin before 22025-07-11

📋Vendor Advisories

1
Microsoft
Kernel: icmpv6 router advertisement packets aka linux tcp/ip remote code execution vulnerability2024-01-09
CVE-2025-6200 (MEDIUM CVSS 5.9) | The GeoDirectory WordPress plugin b | cvebase.io