The GmapsMania plugin for WordPress, widely used to embed Google Maps via a shortcode, suffers from a stored cross-site scripting (XSS) vulnerability identified as CVE-2025-4131. This vulnerability is due to insufficient sanitization and escaping of user-supplied input in the gmap shortcode attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code. When a page containing the malicious shortcode is viewed, the injected script executes in the context of the victim's browser, potentially enabling session hijacking, privilege escalation, or unauthorized actions within the WordPress site. The vulnerability affects all versions up to and including 1.1. The CVSS 3.1 base score is 6.4, reflecting a medium severity with a network attack vector (AV:N), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), and a scope change (S:C) indicating that the vulnerability affects resources beyond the security scope of the vulnerable component. Confidentiality and integrity impacts are low, while availability is unaffected. No public exploits have been reported yet, but the vulnerability's nature and ease of exploitation by authenticated users make it a significant risk for sites using this plugin. The lack of available patches at the time of publication necessitates immediate mitigation measures.

This vulnerability allows authenticated contributors or higher to inject persistent malicious scripts into WordPress pages, which execute in the browsers of any users viewing those pages. The impact includes potential theft of session cookies, enabling account takeover, unauthorized actions performed with victim privileges, and defacement or misinformation through manipulated page content. While availability is not directly affected, the integrity and confidentiality of user data and site content are at risk. For organizations relying on WordPress sites with the GmapsMania plugin, this could lead to compromised user accounts, loss of customer trust, and potential regulatory consequences if user data is exposed. The scope change in the CVSS vector indicates that the vulnerability can affect components beyond the plugin itself, potentially impacting other parts of the site or integrated systems. Given the contributor-level access required, insider threats or compromised accounts increase the risk of exploitation.

Organizations should immediately audit their WordPress installations to identify the presence of the GmapsMania plugin and its version. Until an official patch is released, administrators should restrict contributor-level access to trusted users only and consider temporarily disabling or uninstalling the plugin to eliminate the attack vector. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the gmap shortcode parameters can provide interim protection. Additionally, site administrators should enforce strict input validation and output encoding practices in custom code and review user-generated content for suspicious scripts. Monitoring site logs for unusual activity and conducting regular security scans can help detect exploitation attempts. Once a patch becomes available, prompt updating of the plugin is critical. Educating users with contributor access about the risks and signs of compromise can further reduce exploitation likelihood.