The OpenStreetMap for Gutenberg and WPBakery Page Builder plugin is designed to help WordPress users easily embed customizable and interactive maps into their posts and pages. However, in version 1.2.0 and below, a Stored Cross-Site Scripting (XSS) vulnerability exists, which allows Contributor-level users to inject persistent JavaScript code into map marker popup text. This can lead to account compromise, content injection, and potentially full site takeover.
CVE | CVE-2025-6572 |
OpenStreetMap for Gutenberg | |
Critical | High |
All Time | 15 000 |
Active installations | 1 000+ |
Publicly Published | July 28, 2025 |
Last Updated | July 28, 2025 |
Researcher | Artyom Krugov |
OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
PoC | Yes |
Exploit | No |
Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6572 https://wpscan.com/vulnerability/58c7a8ac-1acd-45b7-abe5-5635fbb5d4c1/ |
Plugin Security Certification by CleanTalk | ![]() |
Logo of the plugin | ![]() |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
June 24, 2024 | Plugin testing and vulnerability detection in the OpenStreetMap have been completed |
June 24, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
July 18, 2025 | Registered CVE-2025-6572 |
Discovery of the Vulnerability
During a manual security review, it was discovered that the popup text field in the marker settings is not properly sanitized or escaped. As a result, any user with Contributor+ capabilities can inject a script into this field, which is then executed whenever someone (including administrators) clicks on the map marker in the frontend or block editor preview.
Understanding of XSS attack’s
Stored XSS is one of the most severe vulnerabilities in web applications. Unlike reflected XSS, which requires interaction with a crafted URL, stored XSS is saved on the server and triggers whenever the data is rendered.
Why it’s critical in WordPress:
- WordPress is inherently multi-user.
- Plugins often store and display user-generated content.
- Admins may unknowingly trigger payloads injected by contributors.
Real-world examples of vulnerable plugin fields:
- Bio fields in user profiles
- Custom input fields in forms
- Meta boxes in post editors
- Shortcodes that process attributes or inner content
In this case, the popup text of the marker is rendered without escaping, directly inserting the malicious content into the DOM
Exploiting the XSS Vulnerability
To exploit CVE-2025-6572, an attacker with contributor+ privileges:
POC:
1) The attacker (Contributor role) inserts the payload into the Popup Text. 2) The payload is saved as part of the post content or block data 3) When an admin or visitor clicks on the marker, the payload is executed.
____
Possible Advanced Payloads:
- Cookie stealing:
document.cookie
- Session hijacking
- Malicious redirection
- Hidden admin account creation via REST API
Recommendations for Improved Security
For Plugin Developers:
- Sanitize Input: Use
sanitize_text_field()
orwp_kses_post()
on popup text fields. - Escape Output: When rendering marker content, use
esc_html()
oresc_attr()
based on context. - Validate Shortcode Attributes: Properly clean both block and shortcode content.
For Site Administrators:
- Update Plugin: Immediately upgrade to the patched version (if/when available) or disable the plugin temporarily.
- Restrict Contributor Capabilities: Avoid assigning Contributor roles full access to block editors without filtering.
- Use a WAF: Solutions like Wordfence or Sucuri can block XSS attempts at the server level.
- Audit Content Regularly: Check user-generated content for suspicious HTML or JavaScript.
- Isolate User Roles: Avoid letting Contributors publish content directly on production sites.
To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-6572 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #Vulnerability
Use CleanTalk solutions to improve the security of your website
Artyom k.