MapPress Maps for WordPress is a popular plugin used to create and manage maps on WordPress sites. It allows users to easily embed maps and display locations using the Google Maps API. With over 50,000 active installations, it is a widely trusted tool for website owners looking to add interactive maps to their pages. However, a critical vulnerability—CVE-2025-2055—has been discovered in the plugin that allows an attacker to exploit stored Cross-Site Scripting (XSS), which could lead to account takeover and privilege escalation, potentially giving an attacker admin access. This issue is particularly concerning for websites that use MapPress to display sensitive location-based data.
| CVE | CVE-2025-2055 |
| MapPress Maps for WordPress < 2.94.9 | |
| Critical | High |
| All Time | 4 630 195 |
| Active installations | 50 000+ |
| Publicly Published | April 22, 2025 |
| Last Updated | April 22, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2055 https://wpscan.com/vulnerability/a8bfdbbf-6963-4fab-826a-6be770ac72c3/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| March 4, 2025 | Plugin testing and vulnerability detection in the MapPress have been completed |
| March 4, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| April 22, 2025 | Registered CVE-2025-2055 |
Discovery of the Vulnerability
The vulnerability was found during the process of testing the MapPress plugin. It is present in the “Description Title” field within the map’s settings. The plugin fails to properly sanitize input provided by the user in this field, allowing an attacker to inject malicious JavaScript code. This input is then stored in the WordPress database and executed when the map is displayed, creating the possibility for privilege escalation and backdoor creation. The vulnerability affects users with contributor or higher roles, meaning that an attacker with these permissions could exploit the vulnerability to gain full admin access, creating significant security risks.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is one of the most common and dangerous vulnerabilities found in web applications. It allows attackers to inject malicious scripts into web pages viewed by other users, typically resulting in session hijacking, unauthorized actions on behalf of the user, or the creation of backdoors. In the context of WordPress, XSS vulnerabilities are particularly problematic due to the ease with which they can be exploited, especially in plugins like MapPress that allow user-generated content. Real-world examples include incidents where XSS was used to steal admin credentials, escalate privileges, or manipulate content. CVE-2025-2055 shares this nature, enabling an attacker to inject JavaScript into the “Description Title” field and subsequently escalate their privileges to an admin account.
Exploiting the XSS Vulnerability
To exploit CVE-2025-2055, an attacker with contributor+ privileges:
POC:
1) Go to Maps http://127.0.0.1/wordpress/wp-admin/admin.php?page=mappress_maps 2) Create a new Map with any place 3) Click on this place in left side of interface 4) Change "Description Title" field to Sud Department<img src=x onerror=alert(1)> 5) To trigger XSS you should create a new POST with shortcode of this map____
The risks associated with CVE-2025-2055 are severe, especially for websites that handle sensitive data or have administrative capabilities accessible to multiple users. In a real-world scenario, an attacker could exploit this XSS vulnerability to inject scripts that steal session cookies or create backdoors. Once an admin’s session is hijacked, the attacker could gain full control over the WordPress site, modify settings, and access user data. For websites using MapPress to display sensitive location data, this could lead to data manipulation, unauthorized access to customer information, or the deployment of malware. This vulnerability could also be used to escalate from contributor-level roles to admin roles, giving attackers complete control over the website.
Recommendations for Improved Security
To mitigate the risk of CVE-2025-2055, users of the MapPress plugin should immediately update to the latest version that addresses this vulnerability. The plugin developers should ensure proper input sanitization for all user-submitted content, particularly in fields like “Description Title” that render content in a public-facing context. WordPress’s esc_html(), wp_kses(), and other sanitization functions should be used to strip out malicious code from input fields. Additionally, WordPress administrators should regularly monitor and limit user roles, ensuring that only trusted users have access to sensitive settings within the plugin. Regular security audits and penetration testing can help identify such vulnerabilities and prevent them from being exploited. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-2055, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.