CVE-2025-13958
Unknown Unknown - Not Provided
Stored XSS in YaMaps WordPress Plugin via Unescaped Shortcodes

Publication date: 2025-12-29

Last updated on: 2025-12-29

Assigner: WPScan

Description
The YaMaps for WordPress Plugin WordPress plugin before 0.6.40 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-29
Last Modified
2025-12-29
Generated
2026-06-16
AI Q&A
2025-12-29
EPSS Evaluated
2026-06-14
NVD
CVE-2025-13958
EUVD
EUVD-2025-205552
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress wordpress_plugin 0.6.40
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the YaMaps for WordPress Plugin (versions before 0.6.40) is due to the plugin not properly validating and escaping some of its shortcode attributes before displaying them on a page or post. This flaw allows users with contributor role or higher to inject malicious scripts that get stored and executed when the page is viewed, leading to Stored Cross-Site Scripting (XSS) attacks.

Impact Analysis

This vulnerability can allow attackers with contributor or higher privileges to execute malicious scripts in the context of the website. This can lead to unauthorized actions such as stealing user session cookies, defacing the website, redirecting users to malicious sites, or performing actions on behalf of other users, potentially compromising the security and integrity of the website and its users.

Detection Guidance

This vulnerability can be detected by checking if your WordPress site is running the YaMaps plugin version prior to 0.6.40. You can look for shortcode attributes in posts or pages that may contain unescaped or suspicious script tags. A practical approach is to search the WordPress database for shortcode usage with potentially malicious script injections. For example, you can run a SQL query on your WordPress database to find shortcode attributes containing script tags: SELECT * FROM wp_posts WHERE post_content LIKE '%[yamaps%script%]%'; Additionally, manual inspection of posts by users with Contributor role or higher for injected scripts can help detect exploitation. There are no specific network commands provided in the resources. [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the YaMaps WordPress plugin to version 0.6.40 or later, where the issue has been fixed. Additionally, restrict the Contributor role or higher users from adding shortcodes until the update is applied, and review existing content for any malicious shortcode injections. Implementing proper input validation and escaping on shortcode attributes is essential, but updating the plugin is the primary and recommended mitigation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13958. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart