The OpenStreetMap for Gutenberg and WPBakery Page Builder plugin is designed to help WordPress users easily embed customizable and interactive maps into their posts and pages. However, in version 1.2.0 and below, a Stored Cross-Site Scripting (XSS) vulnerability exists, which allows Contributor-level users to inject persistent JavaScript code into map marker popup text. This can lead to account compromise, content injection, and potentially full site takeover.

CVECVE-2025-6572
OpenStreetMap for Gutenberg
CriticalHigh
All Time15 000
Active installations1 000+
Publicly PublishedJuly 28, 2025
Last UpdatedJuly 28, 2025
ResearcherArtyom Krugov
OWASP TOP-10A7: Cross-Site Scripting (XSS)
PoCYes
ExploitNo
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6572
https://wpscan.com/vulnerability/58c7a8ac-1acd-45b7-abe5-5635fbb5d4c1/
Plugin Security Certification by CleanTalk
Logo of the plugin

Join the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.

PSC by Cleantalk

Timeline

June 24, 2024Plugin testing and vulnerability detection in the OpenStreetMap have been completed
June 24, 2024I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
July 18, 2025Registered CVE-2025-6572

Discovery of the Vulnerability

During a manual security review, it was discovered that the popup text field in the marker settings is not properly sanitized or escaped. As a result, any user with Contributor+ capabilities can inject a script into this field, which is then executed whenever someone (including administrators) clicks on the map marker in the frontend or block editor preview.

Understanding of XSS attack’s

Stored XSS is one of the most severe vulnerabilities in web applications. Unlike reflected XSS, which requires interaction with a crafted URL, stored XSS is saved on the server and triggers whenever the data is rendered.

Why it’s critical in WordPress:

  • WordPress is inherently multi-user.
  • Plugins often store and display user-generated content.
  • Admins may unknowingly trigger payloads injected by contributors.

Real-world examples of vulnerable plugin fields:

  • Bio fields in user profiles
  • Custom input fields in forms
  • Meta boxes in post editors
  • Shortcodes that process attributes or inner content

In this case, the popup text of the marker is rendered without escaping, directly inserting the malicious content into the DOM

Exploiting the XSS Vulnerability

To exploit CVE-2025-6572, an attacker with contributor+ privileges:

POC:

1) The attacker (Contributor role) inserts the payload into the Popup Text.
2) The payload is saved as part of the post content or block data
3) When an admin or visitor clicks on the marker, the payload is executed.

____

Possible Advanced Payloads:

  • Cookie stealing: document.cookie
  • Session hijacking
  • Malicious redirection
  • Hidden admin account creation via REST API

Recommendations for Improved Security

For Plugin Developers:

  • Sanitize Input: Use sanitize_text_field() or wp_kses_post() on popup text fields.
  • Escape Output: When rendering marker content, use esc_html() or esc_attr() based on context.
  • Validate Shortcode Attributes: Properly clean both block and shortcode content.

For Site Administrators:

  • Update Plugin: Immediately upgrade to the patched version (if/when available) or disable the plugin temporarily.
  • Restrict Contributor Capabilities: Avoid assigning Contributor roles full access to block editors without filtering.
  • Use a WAF: Solutions like Wordfence or Sucuri can block XSS attempts at the server level.
  • Audit Content Regularly: Check user-generated content for suspicious HTML or JavaScript.
  • Isolate User Roles: Avoid letting Contributors publish content directly on production sites.

To prevent this type of attacks vendor used our methods of prevention.

By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-6572 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #Vulnerability

Use CleanTalk solutions to improve the security of your website

Artyom k.
CVE-2025-6572 – OpenStreetMap – Stored XSS to JS Backdoor Creation – POC

Leave a Reply

Your email address will not be published. Required fields are marked *