CVE-2025-11813 is a stored cross-site scripting (XSS) vulnerability identified in the Responsive iframe GoogleMap plugin for WordPress, affecting all versions up to and including 1.0.2. The root cause is insufficient sanitization and escaping of user-supplied input in the 'width' and 'height' attributes of the 'responsive_map' shortcode. This flaw allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into WordPress pages. When other users visit these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the site context. The vulnerability is remotely exploitable over the network without user interaction but requires low-level authentication, making it accessible to a broad range of internal users. The CVSS 3.1 score of 6.4 reflects a medium severity, with a vector indicating network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. No patches or official fixes have been published as of the vulnerability disclosure date (October 22, 2025), and no active exploitation has been reported. This vulnerability falls under CWE-79, which covers improper neutralization of input during web page generation, a common vector for XSS attacks. The plugin's widespread use in WordPress sites that embed Google Maps via iframes increases the potential attack surface.

The primary impact of CVE-2025-11813 is the compromise of confidentiality and integrity within affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of site visitors, potentially stealing session cookies, redirecting users to phishing sites, or performing unauthorized actions on behalf of users with higher privileges. This can lead to account takeover, data leakage, and reputational damage. Since the vulnerability does not affect availability directly, denial-of-service is less likely. However, the scope change indicated in the CVSS vector means that the vulnerability can affect resources beyond the initially compromised component, potentially impacting the entire site or network of users. Organizations relying on this plugin for embedding Google Maps are at risk, especially those with multiple contributors or editors. The lack of user interaction requirement increases the risk of automated exploitation once an attacker gains contributor access. Although no known exploits are currently in the wild, the vulnerability's presence in a popular WordPress plugin makes it a likely target for future attacks.

Until an official patch is released, organizations should implement several specific mitigations: 1) Restrict contributor-level access to trusted users only, minimizing the risk of malicious script injection. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious input patterns targeting the 'width' and 'height' shortcode attributes. 3) Conduct manual or automated code reviews of content submitted by contributors to detect injected scripts. 4) Use security plugins that sanitize shortcode inputs or filter HTML and JavaScript content in posts and pages. 5) Monitor site logs and user activity for unusual behavior indicative of XSS exploitation attempts. 6) Consider temporarily disabling or replacing the Responsive iframe GoogleMap plugin with alternative mapping solutions that do not have this vulnerability. 7) Educate content contributors about safe input practices and the risks of injecting untrusted code. 8) Prepare to apply official patches promptly once available and test updates in staging environments before production deployment.