CVE-2025-6200

Medium CVSS 5.9

Overview

The GeoDirectory WordPress plugin before 2.8.120 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

CWE: CWE-79 Published: 2025-07-11T06:15:25.017

Risk analysis

This vulnerability is rated 🟡 MEDIUM.

CVSS: 5.9 (MEDIUM)
Detected tags: wordpress, xss (tag impact: MODERATE)

Recommended actions:

Apply context-aware output encoding.
Enable Content-Security-Policy and HttpOnly/SameSite cookies.

Overview

Recommended tools

Tags