CVE-2025-14851 is a stored cross-site scripting vulnerability classified under CWE-79, found in the YaMaps for WordPress plugin developed by yhunter. The vulnerability exists in all versions up to and including 0.6.40 due to insufficient sanitization and escaping of user-supplied input in the `yamap` shortcode parameters. This flaw allows authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages generated by the plugin. When other users visit these pages, the injected scripts execute in their browsers, potentially enabling session hijacking, privilege escalation, or unauthorized actions within the context of the affected site. The vulnerability is remotely exploitable over the network without user interaction but requires the attacker to have authenticated access with at least Contributor rights. The CVSS v3.1 base score is 6.4, reflecting a medium severity level, with attack vector as network, low attack complexity, privileges required, no user interaction, and scope changed due to impact on other users. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple contributors. The lack of patch links indicates that a fix may not yet be available, emphasizing the need for immediate mitigation.

The primary impact of this vulnerability is on the confidentiality and integrity of affected WordPress sites. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to session hijacking, theft of sensitive information, defacement, or unauthorized actions performed on behalf of users. Although availability is not directly impacted, the reputational damage and potential data breaches can be severe. Organizations relying on the YaMaps plugin for map functionality on their WordPress sites face increased risk of compromise, especially if they allow multiple contributors or have high traffic. The vulnerability could be leveraged to spread malware, conduct phishing attacks, or pivot to further internal attacks. Since exploitation requires authentication, the threat is somewhat limited to insiders or compromised accounts, but the ease of exploitation and the widespread use of WordPress make this a notable risk globally.

Organizations should immediately review user roles and restrict Contributor-level access to trusted users only. Implement strict input validation and output encoding for all shortcode parameters, especially `yamap`, to prevent script injection. If a patch becomes available from the vendor, apply it promptly. Until then, consider disabling or removing the YaMaps plugin to eliminate the attack surface. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the shortcode parameters. Conduct regular audits of user-generated content for suspicious scripts. Enhance monitoring and logging to detect unusual activities related to script injections or privilege misuse. Educate content contributors about the risks of injecting untrusted content. Finally, maintain updated backups to enable recovery in case of compromise.