The WP Maps plugin for WordPress, with over 80,000 active installations, provides an easy interface for users to create interactive maps on their websites. However, in the course of a routine security assessment, a serious vulnerability was identified — CVE-2025-3503. This vulnerability allows users with editor-level access or higher to inject persistent JavaScript code (Stored XSS) into map content, opening the door to the creation of a backdoor and full account compromise.
CVE | CVE-2025-3503 |
WP Maps < 4.7.2 | |
Critical | High |
All Time | 3 166 732 |
Active installations | 80 000+ |
Publicly Published | April 22, 2025 |
Last Updated | April 22, 2025 |
Researcher | Dmitrii Ignatyev |
OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
PoC | Yes |
Exploit | No |
Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3503 https://wpscan.com/vulnerability/83ddd432-309f-4ff5-974c-fdc9c67d1051/ |
Plugin Security Certification by CleanTalk | ![]() |
Logo of the plugin | ![]() |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
April 5, 2025 | Plugin testing and vulnerability detection in the WP Maps – Display Google Maps Perfectly with Ease have been completed |
April 5, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
April 22, 2025 | Registered CVE-2025-3503 |
Discovery of the Vulnerability
The issue was discovered while testing the plugin’s ability to handle user-supplied input in various customizable fields. One such field, used for configuring the “Infowindow Message for Locations” failed to properly sanitize input. This oversight allowed crafted payloads to be stored and executed when the map was later rendered. The vulnerability was confirmed across multiple WordPress environments and requires minimal permissions to exploit.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities in WordPress can lead to severe consequences. In the case of Stored XSS, malicious code is permanently stored on the server and executed every time a user views the infected content. WordPress sites using plugins that mishandle input, especially from trusted roles like editors, are particularly at risk. Attackers can exploit XSS to execute JavaScript that performs unauthorized actions — from stealing cookies to creating new administrator accounts.
Exploiting the XSS Vulnerability
To exploit CVE-2025-3503, an attacker with editor+ privileges:
POC:
1) Create new WP Map 2) Fill "Map Title" and "Map height" fields with random 3) Go to "Infowindow Message for Locations" section and put here 123"<img src=x onerror=alert(1)> 4) Save Map and go to this map. (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)
____
If exploited in a real-world setting, this vulnerability could allow attackers to hijack administrator sessions, create rogue admin accounts, or modify plugin settings to disable security features. It could be a part of a larger chain of attack for lateral movement within a compromised site or to inject SEO spam and phishing pages. Given the plugin’s popularity, the scale of exploitation could be significant if left unpatched.
Recommendations for Improved Security
All WP Maps users should immediately update to the latest patched version (if available) or disable the plugin until a fix is released. Developers must ensure that all user-supplied input — especially fields meant for HTML content — undergoes thorough sanitization using wp_kses()
or similar WordPress-native mechanisms. For site owners, implementing role-based restrictions and disabling unfiltered_html
for non-admins can reduce the blast radius of such vulnerabilities.
To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-3503, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.