The WordPress ecosystem, with its massive collection of third-party plugins, remains a fertile ground for both innovation and security concerns. One such concern has emerged in the popular WP Maps plugin, which boasts over 80,000 active installations. This plugin, designed to help users create interactive maps on their websites, contains a critical vulnerability identified as CVE-2025-3502. The vulnerability allows for the execution of stored cross-site scripting (XSS) payloads, ultimately enabling the creation of JavaScript-based backdoors. This vulnerability is particularly concerning due to its low exploitation threshold and the fact that it can be triggered even by users with limited privileges, such as editors.
CVE-2025-3502 – WP Maps – Stored XSS to JS Backdoor Creation – POC
