CVE-2025-23775 identifies a stored Cross-site Scripting (XSS) vulnerability in the WWP GMAPS for WPBakery Page Builder Free plugin, specifically affecting versions up to 1.2. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows malicious scripts to be injected and stored persistently within the plugin's output. When a victim visits a compromised page, the malicious script executes in their browser context, potentially leading to session hijacking, credential theft, unauthorized actions on behalf of the user, or distribution of malware. The vulnerability does not require authentication or user interaction beyond page load, increasing its risk profile. Although no public exploits have been reported yet, the widespread use of WPBakery Page Builder and its associated plugins in WordPress sites makes this a notable threat. The lack of a CVSS score means severity must be assessed based on the vulnerability's characteristics: stored XSS is generally considered high risk due to its persistence and impact on confidentiality and integrity. The vulnerability was published on January 16, 2025, by Patchstack, and no official patches or mitigations have been linked yet, emphasizing the need for immediate attention from site administrators.

The stored XSS vulnerability in WWP GMAPS for WPBakery Page Builder Free can have severe consequences for affected organizations. Attackers can inject malicious scripts that execute in the browsers of site visitors or administrators, leading to theft of session cookies, user credentials, or other sensitive information. This can result in unauthorized access to user accounts or administrative functions, enabling further compromise of the website or backend systems. Additionally, attackers may use the vulnerability to deface websites, distribute malware, or conduct phishing attacks by injecting deceptive content. The persistence of stored XSS increases the risk as the malicious payload remains active until removed, potentially affecting all visitors to the compromised pages. For organizations relying on WordPress sites with this plugin, the vulnerability threatens confidentiality, integrity, and availability of web resources and user data. The ease of exploitation without authentication or user interaction broadens the attack surface, making it attractive to attackers. The reputational damage and potential regulatory consequences from data breaches further amplify the impact.

To mitigate CVE-2025-23775, organizations should first check for and apply any official patches or updates released by WWP for the GMAPS for WPBakery Page Builder Free plugin as soon as they become available. In the absence of patches, administrators should consider temporarily disabling or removing the affected plugin to eliminate the attack vector. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections can provide interim protection. Site owners should audit all user-generated content and plugin inputs for suspicious scripts and sanitize or remove them. Employing Content Security Policy (CSP) headers can help restrict the execution of unauthorized scripts in browsers. Regularly scanning the website for XSS vulnerabilities using automated tools and manual testing is recommended. Additionally, educating site administrators and users about the risks of XSS and safe content handling practices can reduce exploitation chances. Monitoring site logs for unusual activity and establishing incident response procedures will aid in rapid detection and remediation if exploitation occurs.