Login Sign Up

CVE-2025-2162

4.8 MEDIUM
Cross-Site Scripting

📋 TL;DR

The MapPress Maps for WordPress plugin before version 2.94.10 contains a stored cross-site scripting (XSS) vulnerability in plugin settings. This allows authenticated administrators to inject malicious scripts that execute when other users view affected pages, even in WordPress multisite installations where unfiltered_html is restricted. Only WordPress sites using vulnerable MapPress versions are affected.

💻 Affected Systems

Products:
  • MapPress Maps for WordPress
Versions: All versions before 2.94.10
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with MapPress plugin. Vulnerability requires admin-level access to exploit.

📦 What is this software?

Mappress by Mappresspro

View all CVEs affecting Mappress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with admin privileges could inject malicious JavaScript that steals session cookies, redirects users to phishing sites, or performs actions on behalf of authenticated users, potentially leading to complete site compromise.

🟠

Likely Case

Malicious admin injects scripts that affect other users viewing plugin settings pages, potentially stealing credentials or performing unauthorized actions.

🟢

If Mitigated

With proper user access controls and input validation, impact is limited to admin-only areas with minimal effect on regular users.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin privileges. No public exploit code identified at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.94.10

Vendor Advisory: https://wpscan.com/vulnerability/06063788-7ab8-49cc-9911-1d9926fcf99d/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find MapPress Maps for WordPress. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.94.10+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Remove Admin Access

all

Temporarily restrict admin privileges to trusted users only until patch is applied.

Disable Plugin

linux

Deactivate MapPress plugin if not essential for site functionality.

wp plugin deactivate mappress-google-maps-for-wordpress

🧯 If You Can't Patch

  • Implement strict user access controls and monitor admin activity
  • Deploy web application firewall with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → MapPress Maps for WordPress → Version number

Check Version:

wp plugin get mappress-google-maps-for-wordpress --field=version

Verify Fix Applied:

Confirm plugin version is 2.94.10 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

  • Unusual admin activity modifying plugin settings
  • JavaScript injection in plugin configuration fields

Network Indicators:

  • Suspicious script tags in HTTP POST requests to admin-ajax.php or plugin settings pages

SIEM Query:

source="wordpress.log" AND "mappress" AND ("update_option" OR "plugin_settings")

📊 Metadata

CVE ID: CVE-2025-2162
CVSS v3 Score: 4.8 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.17% exploit probability (37.7th percentile)
Published: April 18, 2025
Last Updated: May 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2162, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)