WP Map Block by aBlocks < 2.0.3 – Contributor+ Stored XSS via Marker | CVE 2025-5194 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Proof of Concept

As a contributor, put the WP Map Block in a post, edit one of its marker and add the following payload in the Content field: &lt;img src=x onerror=alert(/XSS/)&gt;

The XSS will be triggered when (pre)viewing the post and click on the marker

Affects Plugins

Fixed in 2.0.3

References

CVE

URL

https://research.cleantalk.org/CVE-2025-5194/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Krugov Artyom

Submitter

Krugov Aryom

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

f90b7ad6-e2a2-4833-a390-a78c64dc2382

Timeline

Publicly Published

2025-06-06 (about 6 months ago)

Added

2025-06-06 (about 6 months ago)

Last Updated

2025-06-06 (about 6 months ago)

Other

Published

Title

Published

2025-06-16

Title

Simple Logo Carousel < 1.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

Published

2023-03-13

Title

Robo Gallery < 3.2.13 - Contributor+ Stored XSS

Published

2021-11-11

Title

Contact Form Email < 1.3.25 - Admin+ Stored Cross-Site Scripting

Published

2025-04-01

Title

Gosign – Posts Slider Block <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-09-04

Title

Share This Image < 2.03 - Authenticated (Contributor+) Stored Cross-Site Scripting via STI Buttons Shortcode