The Maps for WP plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability identified as CVE-2024-13648. This vulnerability exists in the 'MapOnePoint' shortcode due to insufficient sanitization and escaping of user-supplied attributes. Authenticated attackers with contributor-level permissions or higher can inject arbitrary JavaScript code into pages using this shortcode. Because the malicious script is stored, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all versions up to and including 1.2.4 of the plugin. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, required privileges at the contributor level, no user interaction, and a scope change with low confidentiality and integrity impacts but no availability impact. No patches or fixes have been linked yet, and no active exploits are currently known. The vulnerability was published in February 2025 and assigned by Wordfence. This issue highlights the risks of insufficient input validation in WordPress plugins, especially those that allow user-generated content or shortcode attributes.

The primary impact of this vulnerability is the potential for attackers with contributor-level access to inject persistent malicious scripts into WordPress sites using the Maps for WP plugin. This can lead to session hijacking, theft of sensitive user information such as cookies or credentials, unauthorized actions performed on behalf of users, defacement, or distribution of malware. Since the scripts execute in the context of the victim's browser, it can compromise the confidentiality and integrity of user data. Although the vulnerability does not affect availability, the reputational damage and potential data breaches can be significant. Organizations relying on this plugin for location mapping on their WordPress sites are at risk, especially if they allow contributor-level users or higher to add content. The scope of affected systems includes any WordPress site with the vulnerable plugin installed, which can be substantial given WordPress's widespread use. The requirement for authentication limits exploitation to insiders or compromised accounts, but this is often a realistic threat vector in multi-user environments.

Since no official patch or update link is provided yet, organizations should implement immediate mitigations to reduce risk. First, restrict contributor-level and higher user permissions to trusted individuals only, minimizing the chance of malicious input. Disable or remove the Maps for WP plugin if it is not essential. If the plugin is required, consider temporarily disabling the 'MapOnePoint' shortcode or filtering its input using a Web Application Firewall (WAF) that can detect and block XSS payloads in shortcode attributes. Site administrators should monitor user-generated content for suspicious scripts and sanitize inputs manually if possible. Regularly audit user accounts and enforce strong authentication to prevent account compromise. Stay alert for official patches or updates from the vendor and apply them promptly once available. Additionally, implement Content Security Policy (CSP) headers to restrict script execution sources, which can mitigate the impact of injected scripts. Finally, educate content contributors about secure input practices and the risks of injecting untrusted code.