The WP Maps plugin is a popular solution for adding interactive maps to WordPress sites, boasting over 80,000 installations. However, during a security assessment, a severe vulnerability was discovered — a Stored Cross-Site Scripting (XSS) flaw that can be leveraged by an attacker with editor privileges to inject persistent JavaScript code. This code is later executed in the context of an administrator, potentially resulting in full site takeover.

CVECVE-2025-3504
WP Maps < 4.7.2
CriticalHigh
All Time3 166 732
Active installations80 000+
Publicly PublishedApril 22, 2025
Last UpdatedApril 22, 2025
ResearcherDmitrii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3504
https://wpscan.com/vulnerability/252484a6-96f0-43f3-a7dc-d20cc89ba119/
Plugin Security Certification by CleanTalk
Logo of the plugin

Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.

PSC by Cleantalk

Timeline

April 5, 2025Plugin testing and vulnerability detection in the WP Maps – Display Google Maps Perfectly with Ease have been completed
April 5, 2025I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
April 22, 2025Registered CVE-2025-3503

Discovery of the Vulnerability

The vulnerability was uncovered during a routine security test of form fields within the plugin’s map creation interface. It was found that the field responsible for storing the “Infowindow Message for Locations” did not adequately sanitize input before rendering it back to users, allowing malicious JavaScript to persist and execute.

Understanding of XSS attack’s

XSS in WordPress often stems from insufficient validation and escaping of user-controlled input. A classic example involves an editor injecting a <script> tag or malicious <img onerror> payload into a trusted field. When this field is later rendered in the admin interface — or worse, on the frontend for other users — the script runs in the victim’s browser, stealing cookies, session tokens, or even injecting admin-level commands.

In this case, WP Maps provided such an opportunity through map description fields, which are mistakenly assumed safe due to limited user roles having access — but with WordPress’ unfiltered_html permission and plugin misconfiguration, exploitation becomes trivial.

Exploiting the XSS Vulnerability

To exploit CVE-2025-3504, an attacker with editor+ privileges:

POC:

1) Create new WP Map
2) Fill "Map Title" and "Map height" fields with random 
3) Go to "*" section and put here 123"<img src=x onerror=alert(1)>
4) Save Map and go to this map.
(Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)

____

If a contributor, editor, or compromised user injects such a payload, it opens a pathway for persistent backdoor creation. Once an admin loads the vulnerable map or its preview, malicious JavaScript executes silently — enabling privilege escalation or site compromise. In real-world scenarios, this could be chained with phishing, social engineering, or brute-force attempts to gain initial access.

On high-traffic or multi-author WordPress sites, this vulnerability poses a critical risk, as plugin trust boundaries are often misplaced. An attacker can weaponize this flaw to inject persistent JavaScript across key admin panels or public pages, compromising SEO, stealing sessions, or distributing malware.

Recommendations for Improved Security

The WP Maps plugin should implement strict server-side sanitization and encoding for all user inputs, especially those rendered as HTML.

WordPress site owners should restrict unfiltered_html capabilities to administrators only and enforce stricter access control for editors and contributors.

Use web application firewalls (WAF) or security plugins that scan for and neutralize injected scripts in post metadata and plugin fields.

Regularly audit plugins and perform updates to ensure known vulnerabilities are patched promptly.

Train content editors and site maintainers on the risks of plugin misuse and how to identify suspicious behavior.

To prevent this type of attacks vendor used our methods of prevention.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-3504, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii I.
CVE-2025-3504 – WP Maps – Stored XSS to JS Backdoor Creation – POC

Leave a Reply

Your email address will not be published. Required fields are marked *