CVE-2025-7660
BaseFortify
Publication date: 2025-07-18
Last updated on: 2025-07-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpres | map_my_locations | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Map My Locations WordPress plugin. It occurs because the plugin does not properly sanitize or escape user-supplied attributes in its 'map_my_locations' shortcode. Authenticated users with contributor-level access or higher can inject malicious scripts into pages. These scripts then execute whenever any user views the affected page, potentially compromising user data or site integrity.
How can this vulnerability impact me? :
The vulnerability allows attackers with contributor-level access to inject arbitrary JavaScript into pages via the plugin's shortcode. This can lead to unauthorized actions such as stealing user session cookies, defacing the website, redirecting users to malicious sites, or performing actions on behalf of other users without their consent. It compromises the security and trustworthiness of the affected website.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the Map My Locations WordPress plugin version 1.1 or earlier is installed and if the 'map_my_locations' shortcode is used with unsanitized user input. Since the vulnerability is a Stored Cross-Site Scripting (XSS) via shortcode attributes, you can detect suspicious script injections in pages using this shortcode. Commands to detect this could include searching the WordPress database for posts or pages containing the shortcode with suspicious script tags. For example, using WP-CLI: `wp db query "SELECT ID, post_content FROM wp_posts WHERE post_content LIKE '%[map_my_locations%<script%'"` to find posts with potential injected scripts. Additionally, monitoring HTTP responses for unexpected script tags in pages using this shortcode can help detect exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Updating the Map My Locations plugin to a version later than 1.1 where the vulnerability is fixed. 2) If an update is not immediately available, restrict contributor-level and above users from adding or editing content with the 'map_my_locations' shortcode until a patch is applied. 3) Review and sanitize any existing content using the shortcode to remove injected scripts. 4) Implement Web Application Firewall (WAF) rules to block common XSS payloads targeting this shortcode. 5) Monitor and audit user inputs and shortcode usage to prevent exploitation.