CVE-2025-12369 is a stored Cross-Site Scripting vulnerability identified in the Extensions for Leaflet Map plugin for WordPress, which is widely used to integrate interactive maps into websites. The vulnerability arises from improper neutralization of user-supplied input in the geojsonmarker shortcode, allowing authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code. This occurs because the plugin fails to adequately sanitize and escape input attributes before rendering them on web pages. When a malicious script is injected, it is stored persistently and executed in the browsers of any users who visit the affected pages, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of the user. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No patches have been released at the time of this report, and no active exploits are known. The vulnerability affects all versions up to and including 4.7 of the plugin. Since WordPress is a popular CMS in Europe, and this plugin is used for map integration, the risk is significant for websites that allow contributors to add or edit content without strict input validation controls.

For European organizations, this vulnerability poses a moderate risk primarily to websites using the Extensions for Leaflet Map plugin on WordPress platforms. The ability for authenticated contributors to inject persistent scripts can lead to session hijacking, unauthorized data access, defacement, or distribution of malware to site visitors. This can damage organizational reputation, lead to data breaches involving user credentials or personal data, and disrupt service availability indirectly through compromised accounts. Organizations in sectors such as media, education, government, and tourism—where interactive maps are frequently used—may face targeted exploitation. The confidentiality and integrity of user data and site content are at risk, but availability impact is minimal. Since exploitation requires authenticated access, the threat is mitigated somewhat by strong access controls but remains significant where contributor roles are broadly assigned or poorly managed.

1. Monitor for official patches or updates from the hupe13 project and apply them immediately once available. 2. Until patches are released, restrict Contributor-level permissions to trusted users only and consider temporarily disabling the plugin if feasible. 3. Implement additional input validation and output encoding at the WordPress site level, especially for shortcodes and user-generated content fields. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script injection patterns targeting the geojsonmarker shortcode. 5. Conduct regular security audits of user roles and permissions to minimize the number of users with content editing capabilities. 6. Educate content contributors about the risks of injecting untrusted content and enforce strict content submission guidelines. 7. Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. 8. Monitor logs for unusual activity related to shortcode usage or contributor account behavior to detect early exploitation attempts.