WP Maps < 4.7.2 – Admin+ Stored XSS | CVE 2025-3502 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Proof of Concept

1) Create new WP Map
2) Fill "Map Title" and "Map height" fields with random 
3) Go to "Map Theme Settings" section toggle on "Apply your own design everywhere" and put here 123</style><img src=x onerror=alert(1)> in "Base Font Size" field
4) Save the Map. The XSS will be triggered in Post/Page where the Map shortcode

Affects Plugins

wp-google-map-plugin

Fixed in 4.7.2

References

CVE

URL

https://research.cleantalk.org/cve-2025-3502/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/

Verified

Yes

WPVDB ID

dd436064-e611-4a4b-a873-67ed6029c46f

Timeline

Publicly Published

2025-04-10 (about 8 months ago)

Added

2025-04-10 (about 8 months ago)

Last Updated

2025-04-10 (about 8 months ago)

Other

Published

Title

Published

2025-04-11

Title

SpaBiz <= 1.0.18 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-07-21

Title

Digital Publications by Supsystic < 1.7.4 - Admin+ Stored Cross-Site Scripting

Published

2022-12-16

Title

Logo Slider < 3.6.0 - Contributor+ Stored XSS in Shortcode

Published

2024-11-08

Title

NV Slider <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2018-04-09

Title

WP Live Chat Support < 8.0.06 - Unauthenticated Stored XSS