CVE-2025-12369 is a stored cross-site scripting (XSS) vulnerability identified in the Extensions for Leaflet Map plugin for WordPress, specifically affecting all versions up to and including 4.7. The vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. The plugin's geojsonmarker shortcode fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored in the website's content, it executes in the context of any user who views the compromised page, potentially leading to session hijacking, unauthorized actions, or data theft. The vulnerability is exploitable remotely over the network without user interaction, but requires authenticated access with at least Contributor privileges, which limits the attack surface to some extent. The CVSS v3.1 base score is 6.4, reflecting a medium severity level with partial impact on confidentiality and integrity but no impact on availability. No patches or exploit code are currently publicly available, and no known active exploitation has been reported. The issue highlights the importance of proper input validation and output encoding in WordPress plugins that handle user-generated content, especially those that allow shortcode attributes to be user-controlled.

The vulnerability allows attackers with Contributor-level access to inject persistent malicious scripts into web pages, which execute in the browsers of site visitors and administrators. This can lead to theft of authentication cookies, enabling session hijacking and privilege escalation. Attackers might also deface websites, manipulate displayed content, or perform unauthorized actions on behalf of other users. Although availability is not impacted, the compromise of confidentiality and integrity can damage organizational reputation, lead to data breaches, and facilitate further attacks such as phishing or malware distribution. Organizations relying on the affected plugin for mapping functionality on WordPress sites are at risk of targeted attacks, especially if they have multiple contributors or less stringent access controls. The medium CVSS score reflects the need for timely remediation to prevent exploitation, particularly in environments with many users and sensitive data.

Organizations should immediately audit their WordPress installations for the presence of the Extensions for Leaflet Map plugin and verify the version in use. Since no official patch links are currently available, administrators should consider temporarily disabling the plugin or restricting Contributor-level user permissions to trusted individuals only. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious script injection attempts targeting the geojsonmarker shortcode can provide interim protection. Additionally, site owners should enforce strict input validation and output encoding practices in custom code and monitor logs for unusual activities related to shortcode usage. Regularly updating WordPress core and plugins once patches are released is critical. Educating contributors about the risks of injecting untrusted content and reviewing user roles to minimize unnecessary privileges will reduce the attack surface. Finally, conducting security scans and penetration tests focusing on XSS vulnerabilities can help identify and remediate similar issues proactively.