CVE-2025-3504 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WP Maps WordPress plugin versions prior to 4.7.2. The vulnerability arises because the plugin fails to properly sanitize and escape certain map settings inputs. This flaw allows users with high privileges, such as administrators, to inject malicious scripts that are persistently stored and executed when other users or the admin themselves access the affected map settings or pages. Notably, this vulnerability can be exploited even when the WordPress unfiltered_html capability is disabled, such as in multisite environments, which typically restricts the ability to insert raw HTML or scripts. The CVSS 3.1 base score is 3.5, indicating a low severity level. The vector string (AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N) shows that the attack requires network access, low attack complexity, high privileges, and user interaction, with limited impact on confidentiality and integrity, and no impact on availability. No known exploits are currently reported in the wild, and no official patches or updates have been linked yet. The vulnerability is categorized under CWE-79, which is a common and well-understood class of XSS issues. Since WP Maps is a WordPress plugin, the vulnerability affects websites using this plugin, potentially exposing administrative interfaces to script injection attacks that could lead to session hijacking, defacement, or redirection to malicious sites if exploited successfully.

For European organizations, the impact of this vulnerability is generally limited due to the requirement for high privilege (admin) access and user interaction. However, in environments where multiple administrators manage WordPress sites, especially multisite setups common in larger organizations or managed service providers, the risk increases. Exploitation could lead to unauthorized actions performed in the context of an admin user, such as stealing session tokens, modifying site content, or injecting malicious payloads that affect site visitors or other admins. This could result in reputational damage, data leakage, or compliance issues under regulations like GDPR if personal data is compromised. The limited CVSS score reflects the low likelihood of exploitation without prior admin access, but the persistent nature of stored XSS means that once exploited, the impact can be significant. European organizations relying on WP Maps for location-based services on their WordPress sites should be aware of this risk, especially those in sectors with high regulatory scrutiny or public-facing websites with multiple administrators.

1. Immediate upgrade to WP Maps version 4.7.2 or later once available, as this will contain the necessary sanitization and escaping fixes. 2. Until a patch is released, restrict administrative access strictly to trusted personnel and enforce strong authentication mechanisms such as MFA to reduce the risk of credential compromise. 3. Review and audit all map settings inputs for suspicious or unexpected content, especially any HTML or script-like entries. 4. Implement Content Security Policy (CSP) headers to limit the impact of potential XSS by restricting script sources and execution contexts. 5. Regularly monitor WordPress logs and admin activities for unusual behavior that could indicate exploitation attempts. 6. Consider disabling or removing the WP Maps plugin if it is not essential, or replace it with alternative plugins that have a stronger security track record. 7. Educate administrators about the risks of stored XSS and safe content management practices, particularly in multisite environments where unfiltered_html is disabled but this vulnerability still applies.