The WP Maps plugin is a popular solution for adding interactive maps to WordPress sites, boasting over 80,000 installations. However, during a security assessment, a severe vulnerability was discovered — a Stored Cross-Site Scripting (XSS) flaw that can be leveraged by an attacker with editor privileges to inject persistent JavaScript code. This code is later executed in the context of an administrator, potentially resulting in full site takeover.
CVE | CVE-2025-3504 |
WP Maps < 4.7.2 | |
Critical | High |
All Time | 3 166 732 |
Active installations | 80 000+ |
Publicly Published | April 22, 2025 |
Last Updated | April 22, 2025 |
Researcher | Dmitrii Ignatyev |
OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
PoC | Yes |
Exploit | No |
Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3504 https://wpscan.com/vulnerability/252484a6-96f0-43f3-a7dc-d20cc89ba119/ |
Plugin Security Certification by CleanTalk | ![]() |
Logo of the plugin | ![]() |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
April 5, 2025 | Plugin testing and vulnerability detection in the WP Maps – Display Google Maps Perfectly with Ease have been completed |
April 5, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
April 22, 2025 | Registered CVE-2025-3503 |
Discovery of the Vulnerability
The vulnerability was uncovered during a routine security test of form fields within the plugin’s map creation interface. It was found that the field responsible for storing the “Infowindow Message for Locations” did not adequately sanitize input before rendering it back to users, allowing malicious JavaScript to persist and execute.
Understanding of XSS attack’s
XSS in WordPress often stems from insufficient validation and escaping of user-controlled input. A classic example involves an editor injecting a <script>
tag or malicious <img onerror>
payload into a trusted field. When this field is later rendered in the admin interface — or worse, on the frontend for other users — the script runs in the victim’s browser, stealing cookies, session tokens, or even injecting admin-level commands.
In this case, WP Maps provided such an opportunity through map description fields, which are mistakenly assumed safe due to limited user roles having access — but with WordPress’ unfiltered_html
permission and plugin misconfiguration, exploitation becomes trivial.
Exploiting the XSS Vulnerability
To exploit CVE-2025-3504, an attacker with editor+ privileges:
POC:
1) Create new WP Map 2) Fill "Map Title" and "Map height" fields with random 3) Go to "*" section and put here 123"<img src=x onerror=alert(1)> 4) Save Map and go to this map. (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)
____
If a contributor, editor, or compromised user injects such a payload, it opens a pathway for persistent backdoor creation. Once an admin loads the vulnerable map or its preview, malicious JavaScript executes silently — enabling privilege escalation or site compromise. In real-world scenarios, this could be chained with phishing, social engineering, or brute-force attempts to gain initial access.
On high-traffic or multi-author WordPress sites, this vulnerability poses a critical risk, as plugin trust boundaries are often misplaced. An attacker can weaponize this flaw to inject persistent JavaScript across key admin panels or public pages, compromising SEO, stealing sessions, or distributing malware.
Recommendations for Improved Security
The WP Maps plugin should implement strict server-side sanitization and encoding for all user inputs, especially those rendered as HTML.
WordPress site owners should restrict unfiltered_html
capabilities to administrators only and enforce stricter access control for editors and contributors.
Use web application firewalls (WAF) or security plugins that scan for and neutralize injected scripts in post metadata and plugin fields.
Regularly audit plugins and perform updates to ensure known vulnerabilities are patched promptly.
Train content editors and site maintainers on the risks of plugin misuse and how to identify suspicious behavior.
To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-3504, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.