CVE

The WP Maps plugin is a popular solution for adding interactive maps to WordPress sites, boasting over 80,000 installations. However, during a security assessment, a severe vulnerability was discovered — a Stored Cross-Site Scripting (XSS) flaw that can be leveraged by an attacker with editor privileges to inject persistent JavaScript code. This code is later executed in the context of an administrator, potentially resulting in full site takeover.

The WP Maps plugin for WordPress, with over 80,000 active installations, provides an easy interface for users to create interactive maps on their websites. However, in the course of a routine security assessment, a serious vulnerability was identified — CVE-2025-3503. This vulnerability allows users with editor-level access or higher to inject persistent JavaScript code (Stored XSS) into map content, opening the door to the creation of a backdoor and full account compromise.

The WordPress ecosystem, with its massive collection of third-party plugins, remains a fertile ground for both innovation and security concerns. One such concern has emerged in the popular WP Maps plugin, which boasts over 80,000 active installations. This plugin, designed to help users create interactive maps on their websites, contains a critical vulnerability identified as CVE-2025-3502. The vulnerability allows for the execution of stored cross-site scripting (XSS) payloads, ultimately enabling the creation of JavaScript-based backdoors. This vulnerability is particularly concerning due to its low exploitation threshold and the fact that it can be triggered even by users with limited privileges, such as editors.

The Calculated Fields Form plugin is a widely adopted WordPress tool used for creating forms with dynamically calculated fields based on user input. With over 50,000 active installations, it powers various contact forms, booking interfaces, quote generators, and more. Despite its powerful features, a significant security vulnerability has been discovered: CVE-2024-12273, a Stored Cross-Site Scripting (XSS) flaw that can be leveraged by an attacker to inject persistent JavaScript code and deploy a full JavaScript-based backdoor. This allows account takeover and, in worst-case scenarios, full administrative compromise.

BackWPup is one of the most trusted and feature-rich backup and restore plugins for WordPress, offering both flexibility and robust protection for your website’s data. Developed by WP Media—the team behind WP Rocket—BackWPup allows you to create complete backups of your WordPress installation and store them safely on external services such as Dropbox, Amazon S3, Google Drive, OneDrive, and more.

But beyond its impressive features, what sets BackWPup v5.2.3 apart is its strong commitment to security. The plugin has undergone a thorough security review, code analysis, and penetration testing process, earning it the official Plugin Security Certification (PSC) with the identifier PSC-2025-64571, issued by CleanTalk

AI Autotagger (Taxo Press) is a popular plugin used in WordPress for automatically tagging posts and improving the content classification process. It helps users to efficiently manage taxonomies and tags across their site, saving time and improving content visibility. However, a critical vulnerability, CVE-2025-0627, was discovered in the plugin, which allows attackers to inject malicious scripts, enabling a backdoor creation that can lead to account takeover. This vulnerability is a stored Cross-Site Scripting (XSS) flaw that can be exploited by users with editor privileges.

The WP Cost Calculator Builder is a widely used WordPress plugin that allows website owners to create dynamic pricing and estimation forms using an intuitive drag-and-drop interface. With over 20 flexible form elements and deep integration into e-commerce platforms like WooCommerce, it serves as a powerful tool for businesses that want to provide cost estimation on their services and products.

However, versions up to 3.2.74 of the plugin are vulnerable to a Stored Cross-Site Scripting (XSS) attack that allows malicious JavaScript code to be injected and persistently executed in the browser of any visitor who views the infected form.

The Category Posts Widget is a popular WordPress plugin that allows users to display posts from specified categories in a widget format. It is often used to enhance the user experience by providing dynamic content related to specific categories. However, a critical vulnerability has been discovered—CVE-2025-1453—that allows attackers to exploit stored XSS within the widget’s settings. This vulnerability enables attackers with editor-level permissions to inject malicious JavaScript, leading to potential backdoor creation and full account takeover.

Email Subscribers is a widely used plugin in WordPress, allowing users to manage email subscriptions, newsletters, and automated email campaigns. It is a valuable tool for website administrators looking to engage with their users via email marketing. However, CVE-2025-0671, a stored Cross-Site Scripting (XSS) vulnerability, has been discovered in the plugin that enables an attacker to inject malicious JavaScript into the site. This stored XSS vulnerability could lead to the creation of backdoors for attackers, potentially resulting in full site compromise, including admin account takeover.

Vulnerability was discovered in the widely-used WordPress plugin Post Slider and Carousel with Widget, which allows site owners to display posts in sliders or carousels. This plugin is favored for its ease of use and flexibility, especially for non-technical users.

The vulnerability, now identified as CVE-2025-4567, affects plugin versions below 3.2.10 and allows an authenticated user (with access to widget settings) to inject stored JavaScript code into a field that is later rendered on the front-end — leading to persistent Cross-Site Scripting (XSS) and the potential creation of a JavaScript backdoor.