MapPress Maps for WordPress is a widely used plugin for adding Google Maps to WordPress websites. It offers users the ability to create maps with custom markers, locations, and settings, providing an interactive experience for visitors. However, a critical vulnerability—CVE-2025-2162—has been discovered that allows attackers to inject malicious JavaScript into maps, leading to the creation of backdoors that can compromise admin accounts. This stored XSS vulnerability is particularly dangerous as it affects users with editor-level access, enabling attackers to escalate their privileges and potentially take over the site.
| CVE | CVE-2025-2162 |
| MapPress Maps for WordPress < 2.94.10 | |
| Critical | High |
| All Time | 4 630 195 |
| Active installations | 50 000+ |
| Publicly Published | April 22, 2025 |
| Last Updated | April 22, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2162 https://wpscan.com/vulnerability/06063788-7ab8-49cc-9911-1d9926fcf99d/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| March 4, 2025 | Plugin testing and vulnerability detection in the MapPress have been completed |
| March 4, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| April 22, 2025 | Registered CVE-2025-2162 |
Discovery of the Vulnerability
The vulnerability was discovered during routine security testing of the MapPress plugin. It was found that the plugin fails to properly sanitize input provided by users in certain fields, allowing an attacker to inject JavaScript. The issue arises in the “Map Theme Settings” section, where an attacker can insert malicious code into the “Base Font Size” field. This input is stored in the database and executed whenever the map is viewed, allowing for privilege escalation or the creation of a backdoor into the site.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is a well-known vulnerability in web applications, including WordPress plugins. XSS occurs when an attacker injects malicious JavaScript code into a page that is then executed in the context of another user’s browser. This type of attack can lead to a wide range of issues, such as session hijacking, defacement, or privilege escalation. In WordPress, XSS vulnerabilities are often exploited in plugins that allow user-generated content, such as forms, comments, and custom maps. Real-world examples of XSS vulnerabilities include attacks where attackers gain unauthorized access to admin accounts, steal cookies, or inject malicious payloads into a website, which may go unnoticed for extended periods.
Exploiting the XSS Vulnerability
To exploit CVE-2025-2162, an attacker with contributor+ privileges:
POC:
1) Create new WP Map 2) Fill "Map Title" and "Map height" fields with random 3) Go to "Map Theme Settings" section toggle on "Apply your own design everywhere" and put here 123</style><img src=x onerror=alert(1)> in "Base Font Size" field 4) Save Map and copy shprtcode of this map. Craete a new Post and put here shortcode of new map____
The potential risks associated with CVE-2025-2162 are significant, particularly for websites that rely on MapPress for location-based content. If exploited, this vulnerability allows attackers to hijack admin sessions, create new admin accounts, or execute arbitrary actions in the admin’s context. In real-world scenarios, this could lead to unauthorized access to sensitive data, site modifications, and full administrative control of the WordPress site. For example, an attacker could modify settings, delete content, steal user information, or even insert malware into the website. Sites that handle sensitive customer data or use the map feature for e-commerce or booking purposes would be especially vulnerable to such attacks.
Recommendations for Improved Security
To mitigate the risk of CVE-2025-2162, users should immediately update to the latest version of the MapPress plugin, which addresses this XSS vulnerability. Plugin developers should implement proper input sanitization for all user inputs, particularly in fields that render content publicly, such as the “Base Font Size” field. WordPress’s built-in sanitization functions like esc_html() and wp_kses() should be used to prevent the injection of arbitrary scripts. Additionally, administrators should ensure that only trusted users are given editor roles and limit access to sensitive plugin settings. Implementing a Content Security Policy (CSP) and a Web Application Firewall (WAF) can provide an extra layer of protection against malicious scripts. Regular security audits and monitoring of WordPress plugins can help identify and address vulnerabilities before they are exploited. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-2162, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.