CVE-2025-5194
BaseFortify
Publication date: 2025-06-27
Last updated on: 2025-07-07
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_map_block_project | wp_map_block | to 2.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-5194 is a Stored Cross-Site Scripting (XSS) vulnerability in the WP Map Block WordPress plugin before version 2.0.3. The plugin does not properly validate and escape some block options, specifically the marker content, before outputting them on pages or posts. This allows users with Contributor role or higher to inject malicious scripts that get stored and executed when the post is viewed, potentially compromising site security. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with Contributor privileges to inject malicious scripts into posts or pages. When other users view the affected content, the malicious script executes, which can lead to unauthorized actions such as stealing cookies, session hijacking, defacement, or spreading malware. This compromises the security and integrity of the website and its users. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the WordPress site is using the WP Map Block plugin version prior to 2.0.3. Additionally, you can test for the vulnerability by attempting to insert a payload such as `<img src=x onerror=alert(/XSS/)>` into the marker content field of the block as a user with Contributor role or higher, then previewing the post to see if the script executes. There are no specific network commands provided, but verifying the plugin version and testing the marker content input for script execution are effective detection methods. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the WP Map Block plugin to version 2.0.3 or later, where the issue has been fixed. Additionally, restrict Contributor role users from adding or editing the vulnerable block until the update is applied to prevent exploitation. [1]