CVE-2025-3504
📋 TL;DR
The WP Maps WordPress plugin before version 4.7.2 contains a stored cross-site scripting (XSS) vulnerability in map settings. This allows authenticated administrators to inject malicious scripts that execute when other users view affected pages, even in environments where unfiltered_html capability is restricted. The vulnerability affects WordPress multisite installations and other configurations with strict content filtering.
💻 Affected Systems
- WP Maps WordPress Plugin
📦 What is this software?
Wp Maps by Weplugins
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin privileges could inject malicious JavaScript that steals session cookies, redirects users to phishing sites, or performs actions on behalf of authenticated users, potentially leading to complete site compromise.
Likely Case
Malicious admin injects tracking scripts or defaces website content visible to other users, damaging reputation and potentially capturing user data.
If Mitigated
With proper user access controls and content security policies, impact is limited to visual defacement or minor data leakage from users viewing affected pages.
🎯 Exploit Status
Exploitation requires admin privileges. Attack involves injecting JavaScript into map settings fields that lack proper sanitization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.7.2
Vendor Advisory: https://wpscan.com/vulnerability/252484a6-96f0-43f3-a7dc-d20cc89ba119/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WP Maps plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 4.7.2+ from WordPress repository.
🔧 Temporary Workarounds
Remove Admin Access from Untrusted Users
allLimit admin privileges to only essential, trusted personnel to reduce attack surface.
Implement Content Security Policy
allAdd CSP headers to restrict script execution sources and mitigate XSS impact.
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or add to WordPress functions.php: header("Content-Security-Policy: default-src 'self'; script-src 'self'");
🧯 If You Can't Patch
- Disable WP Maps plugin entirely until patched
- Implement strict user access controls and monitor admin activity logs
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → WP Maps version numberCheck Version:
wp plugin list --name='wp-maps' --field=version (if WP-CLI installed)Verify Fix Applied:
Confirm WP Maps plugin version is 4.7.2 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual admin user modifying map settings
- JavaScript injection patterns in plugin settings
Network Indicators:
- Unexpected external script loads from map pages
- Suspicious outbound connections from map content
SIEM Query:
source="wordpress.log" AND "wp-maps" AND ("update_option" OR "save_settings")