CVE-2025-9352
BaseFortify
Publication date: 2025-08-28
Last updated on: 2025-08-29
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pronamic | google_maps | 2.4.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Pronamic Google Maps plugin for WordPress, affecting all versions up to and including 2.4.1. It occurs because the plugin does not properly sanitize and escape input in the description field, allowing authenticated users with Contributor-level access or higher to inject malicious scripts. These scripts then execute whenever any user views the affected page, potentially compromising user security.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your WordPress site is running the Pronamic Google Maps plugin version 2.4.1 or earlier. You can look for pages where the plugin outputs map data using hidden HTML input fields containing JSON data, which indicates the vulnerable versions. For detection, you can use commands like: 1. Using curl and grep to find hidden inputs with JSON data: curl -s https://your-site.com/page-with-map | grep '<input type="hidden" name="pronamic_google_maps_info"' 2. Using WP-CLI to check the installed plugin version: wp plugin list --status=active | grep pronamic-google-maps If the version is 2.4.1 or below, the site is vulnerable. Note: Detection involves inspecting the HTML source for hidden input fields related to the plugin or verifying the plugin version installed.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Pronamic Google Maps WordPress plugin to version 2.4.2 or later, where the vulnerability is fixed by removing the use of hidden HTML input fields for JSON data and embedding the data securely in JavaScript variables. Additionally, ensure all plugin dependencies are updated to their latest secure versions as included in the update. If updating immediately is not possible, restrict Contributor-level access and above to trusted users only, as the vulnerability requires authenticated users with at least Contributor privileges to exploit. [1, 2]
How can this vulnerability impact me? :
The vulnerability allows attackers with Contributor-level access or higher to inject arbitrary web scripts into pages via the description field. When other users access these pages, the malicious scripts execute in their browsers. This can lead to unauthorized actions such as stealing user credentials, session hijacking, defacement, or other malicious activities that compromise the integrity and security of the website and its users.