CVE-2025-13850 is a stored Cross-Site Scripting (XSS) vulnerability identified in the LS Google Map Router plugin for WordPress, affecting all versions up to and including 1.1.0. The vulnerability arises from improper neutralization of input during web page generation, specifically insufficient sanitization and output escaping of the 'map_type' parameter. This flaw allows authenticated attackers with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the affected WordPress site. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting a medium severity level. The attack vector is network-based, requiring only low attack complexity and no user interaction, but does require some level of authentication (Contributor or above). The scope is considered changed because the vulnerability can affect other users beyond the attacker. No public exploits have been reported yet, but the risk remains significant due to the common use of WordPress and the plugin. The vulnerability is catalogued under CWE-79, which covers improper input neutralization leading to XSS. The lack of patch links suggests that no official fix has been released at the time of publication, emphasizing the need for alternative mitigations.

For European organizations, this vulnerability poses a risk primarily to websites using WordPress with the LS Google Map Router plugin installed. Successful exploitation can compromise the confidentiality and integrity of user sessions and data by executing malicious scripts in the context of the affected site. This can lead to credential theft, unauthorized actions, defacement, or distribution of malware. The medium severity score reflects that while availability is not directly impacted, the breach of trust and potential data leakage can have reputational and regulatory consequences, especially under GDPR. Organizations relying on WordPress for customer-facing or internal portals are at risk of targeted attacks, particularly if Contributor-level access is widely granted or poorly managed. The vulnerability's requirement for authenticated access limits exposure but does not eliminate risk, as insider threats or compromised accounts can be leveraged. The lack of known exploits currently reduces immediate risk but does not preclude future exploitation. Overall, the vulnerability could facilitate lateral movement or persistent footholds within affected environments.

European organizations should implement the following specific mitigations: 1) Immediately audit and restrict Contributor-level and higher access to trusted users only, minimizing the attack surface. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'map_type' parameter. 3) Monitor WordPress logs and user activity for unusual behavior indicative of exploitation attempts. 4) If possible, disable or remove the LS Google Map Router plugin until an official patch is released. 5) Implement Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. 6) Educate site administrators and content contributors about the risks of XSS and safe content practices. 7) Regularly update WordPress core and plugins to the latest versions once patches addressing this vulnerability become available. 8) Consider deploying security plugins that provide input sanitization and output escaping enhancements. These measures go beyond generic advice by focusing on access control, detection, and containment specific to this vulnerability.