CVE-2025-3503 – WP Maps – Stored XSS to JS Backdoor Creation – POC

The WP Maps plugin for WordPress, with over 80,000 active installations, provides an easy interface for users to create interactive maps on their websites. However, in the course of a routine security assessment, a serious vulnerability was identified — CVE-2025-3503. This vulnerability allows users with editor-level access or higher to inject persistent JavaScript code (Stored XSS) into map content, opening the door to the creation of a backdoor and full account compromise.

CVE	CVE-2025-3503
	WP Maps < 4.7.2
Critical	High
All Time	3 166 732
Active installations	80 000+
Publicly Published	April 22, 2025
Last Updated	April 22, 2025
Researcher	Dmitrii Ignatyev
OWASP TOP-10	A7: Cross-Site Scripting (XSS)
PoC	Yes
Exploit	No
Reference	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3503 https://wpscan.com/vulnerability/83ddd432-309f-4ff5-974c-fdc9c67d1051/
Plugin Security Certification by CleanTalk
Logo of the plugin

Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.

Get Plugin Security Certificate

PSC by Cleantalk

Timeline

Discovery of the Vulnerability

The issue was discovered while testing the plugin’s ability to handle user-supplied input in various customizable fields. One such field, used for configuring the “Infowindow Message for Locations” failed to properly sanitize input. This oversight allowed crafted payloads to be stored and executed when the map was later rendered. The vulnerability was confirmed across multiple WordPress environments and requires minimal permissions to exploit.

Understanding of XSS attack’s

Cross-Site Scripting (XSS) vulnerabilities in WordPress can lead to severe consequences. In the case of Stored XSS, malicious code is permanently stored on the server and executed every time a user views the infected content. WordPress sites using plugins that mishandle input, especially from trusted roles like editors, are particularly at risk. Attackers can exploit XSS to execute JavaScript that performs unauthorized actions — from stealing cookies to creating new administrator accounts.

Exploiting the XSS Vulnerability

To exploit CVE-2025-3503, an attacker with editor+ privileges:

POC:

1) Create new WP Map
2) Fill "Map Title" and "Map height" fields with random 
3) Go to "Infowindow Message for Locations" section and put here 123"<img src=x onerror=alert(1)>
4) Save Map and go to this map.
(Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)

____

If exploited in a real-world setting, this vulnerability could allow attackers to hijack administrator sessions, create rogue admin accounts, or modify plugin settings to disable security features. It could be a part of a larger chain of attack for lateral movement within a compromised site or to inject SEO spam and phishing pages. Given the plugin’s popularity, the scale of exploitation could be significant if left unpatched.

Recommendations for Improved Security

All WP Maps users should immediately update to the latest patched version (if available) or disable the plugin until a fix is released. Developers must ensure that all user-supplied input — especially fields meant for HTML content — undergoes thorough sanitization using wp_kses() or similar WordPress-native mechanisms. For site owners, implementing role-based restrictions and disabling unfiltered_html for non-admins can reduce the blast radius of such vulnerabilities.

To prevent this type of attacks vendor used our methods of prevention.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-3503, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii I.