MapPress Maps for WordPress < 2.94.9 – Contributor+ Stored XSS | CVE 2025-2055 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some parameters when outputing them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.

Proof of Concept

1) Go to http://example.com/wp-admin/admin.php?page=mappress_maps
2) Create a new Map and enter a sample address 
3) Click on this place in left side of interface
4) Change "Description Title" field to `Sud Department&lt;img src=x onerror=alert(1)&gt;`
5) Create a new post/page with the shortcode for this map. The XSS will execute on pageload.

Affects Plugins

mappress-google-maps-for-wordpress

Fixed in 2.94.9

References

CVE

URL

https://research.cleantalk.org/cve-2025-2055/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/

Verified

Yes

WPVDB ID

a8bfdbbf-6963-4fab-826a-6be770ac72c3

Timeline

Publicly Published

2025-03-13 (about 9 months ago)

Added

2025-03-13 (about 9 months ago)

Last Updated

2025-03-13 (about 9 months ago)

Other

Published

Title

Published

2018-04-04

Title

My Calendar <= 2.5.16 - Authenticated Cross-Site Scripting (XSS)

Published

2023-01-24

Title

Product Slider and Carousel with Category for WooCommerce < 2.8 - Contributor+ Stored XSS via Shortcode

Published

2024-04-11

Title

WidgetKit <= 2.5.1 - Contributor+ Stored XSS

Published

2025-03-21

Title

Multi Video Box <= 1.5.2 - Reflected Cross-Site Scripting via video_id and group_id Parameters

Published

2024-03-12

Title

Page Builder Gutenberg Blocks < 3.1.7 - Contributor+ Stored XSS