GeoDirectory < 2.8.120 – Contributor+ Stored XSS | CVE 2025-6200 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Proof of Concept

1. Login as a Contributor user.
2. Create a new post.
3. Insert the following shortcode into the content editor: `[gd_best_of tab_layout='" onmouseover=alert(document.domain)']`
4. Submit the post for review or preview it (if allowed).
5. Login as an Admin user and preview post.
6. When the post is viewed in the frontend, the injected script will be executed when hovering the mouse over the widget area.

Affects Plugins

Fixed in 2.8.120

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

imduyb

Submitter

Duy

Verified

Yes

WPVDB ID

27c35255-4963-4d93-85e7-9e7688e5eb2e

Timeline

Publicly Published

2025-06-20 (about 6 months ago)

Added

2025-06-20 (about 6 months ago)

Last Updated

2025-06-20 (about 6 months ago)

Other

Published

Title

Published

2021-10-25

Title

Ecommerce - Two Factor Authentication < 1.0.5 - Reflected Cross-Site Scripting

Published

2015-11-10

Title

Types < 1.8.8 - Cross-Site Scripting (XSS)

Published

2025-09-22

Title

Search Atlas SEO < 2.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-12-01

Title

Afterpay Gateway for WooCommerce < 3.5.1 - Reflected Cross-Site Scripting

Published

2024-11-08

Title

Bg Patriarchia BU <= 2.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting