WordPress Plugin Vulnerabilities

YaMaps < 0.6.40 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Proof of Concept

Affects Plugins

Plugin icon
yamaps
Fixed in 0.6.40

References

CVE
CVE-2025-13958

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Alex Tselevich (nos3curity)
Submitter
Alex Tselevich (nos3curity)
Submitter website
https://nosecurity.blog
Submitter twitter
nos3curity
Verified
Yes
WPVDB ID
0d4bb338-f0d0-4b57-8664-1b8cba7cbe52

Timeline

Publicly Published
2025-12-08 (about 21 days ago)
Added
2025-12-08 (about 20 days ago)
Last Updated
2025-12-08 (about 20 days ago)

Other

Published
Title
Published
2025-04-10
Title
WP Project Manager < 2.6.23 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Published
2023-06-26
Title
Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite < 1.0.0 - Subscriber+ Stored XSS
Published
2025-11-10
Title
Stars Testimonials < 3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-09-10
Title
WP Scriptcase <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter
Published
2024-10-15
Title
ElementsReady Addons for Elementor < 6.4.4 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload