Map Block Leaflet < 3.2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter | CVE 2025-5122 | Plugin Vulnerabilities

Description

The Map Block Leaflet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

map-block-leaflet

Fixed in 3.2.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/372f1cf3-df33-444c-b31e-8f71d128e30b

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Peter Thaleikis

Verified

No

WPVDB ID

c9a9c4b2-24a4-4758-bf26-e7778c87a559

Timeline

Publicly Published

2025-05-28 (about 10 months ago)

Added

2025-05-28 (about 10 months ago)

Last Updated

2025-05-29 (about 10 months ago)

Other

Published

Title

Published

2023-02-21

Title

Japanized For WooCommerce < 2.5.5 - Reflected XSS

Published

2024-01-30

Title

Persian Fonts <= 1.6 - Admin+ Stored XSS

Published

2014-08-01

Title

Multiple Parallelus Themes - Reflected Cross-Site Scripting (XSS)

Published

2022-09-06

Title

Ketchup Restaurant Reservations <= 1.0.0 - Unauthenticated Stored XSS

Published

2024-05-14

Title

Yoast SEO < 22.7 - Authenticated (Contributor+) Stored Cross-Site Scripting