CVE-2025-13850 is a stored cross-site scripting (XSS) vulnerability identified in the LS Google Map Router plugin for WordPress, affecting all versions up to and including 1.1.0. The vulnerability stems from improper neutralization of input during web page generation, specifically inadequate sanitization and escaping of the 'map_type' parameter. Authenticated users with Contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages generated by the plugin. Because the injected scripts are stored persistently, they execute every time a user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of the user. The vulnerability is classified under CWE-79 and has a CVSS v3.1 base score of 6.4, reflecting medium severity. The attack vector is network-based with low attack complexity, requiring privileges but no user interaction. The scope is changed, as the vulnerability can affect other users viewing the injected content. No patches or official fixes have been published yet, and no known exploits are reported in the wild. The vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that allow user-generated content or parameters influencing page rendering.

The impact of CVE-2025-13850 on organizations worldwide can be significant, particularly for those relying on WordPress websites with the LS Google Map Router plugin installed. Successful exploitation allows attackers with Contributor-level access to inject malicious scripts that execute in the browsers of any user visiting the compromised pages. This can lead to session hijacking, theft of sensitive information such as authentication cookies, unauthorized actions performed on behalf of users, defacement, or distribution of malware. While the vulnerability does not directly affect server availability or integrity, the compromise of user accounts and data confidentiality can damage organizational reputation and trust. Since Contributor-level access is required, the threat is somewhat mitigated by access controls, but insider threats or compromised accounts increase risk. The absence of known exploits in the wild suggests limited current exploitation, but the medium severity score and ease of exploitation warrant prompt attention to prevent future attacks.

To mitigate CVE-2025-13850 effectively, organizations should take the following specific actions: 1) Immediately review and restrict Contributor-level access to trusted users only, minimizing the risk of malicious script injection. 2) Monitor and audit user-generated content and parameters related to the 'map_type' field for suspicious input patterns. 3) Deploy a Web Application Firewall (WAF) with rules designed to detect and block common XSS payloads targeting the vulnerable parameter. 4) If possible, disable or remove the LS Google Map Router plugin until an official patch or update is released. 5) Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 6) Educate site administrators and contributors about the risks of XSS and safe content handling practices. 7) Regularly back up website data and configurations to enable recovery in case of compromise. 8) Stay informed about updates from the plugin vendor or WordPress security advisories for patches addressing this vulnerability.