CVE-2025-4131 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the GmapsMania plugin for WordPress, developed by garubi. This vulnerability exists in all versions up to and including 1.1 of the plugin. The root cause is insufficient input sanitization and output escaping on user-supplied attributes within the plugin's 'gmap' shortcode. Specifically, authenticated users with contributor-level access or higher can inject arbitrary JavaScript code into pages via crafted shortcode attributes. When other users visit these compromised pages, the injected scripts execute in their browsers within the context of the vulnerable site. This can lead to session hijacking, privilege escalation, defacement, or redirection to malicious sites. The vulnerability does not require user interaction beyond visiting the affected page, and no higher privileges than contributor are needed to exploit it. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required at the contributor level, no user interaction, and a scope change since the vulnerability affects other users beyond the attacker. The impact affects confidentiality and integrity but not availability. No known exploits have been reported in the wild yet, and no patches have been published at the time of analysis. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common web application security flaw. Given the widespread use of WordPress and the popularity of mapping plugins, this vulnerability poses a significant risk to websites using GmapsMania, especially those allowing contributor-level user registrations or access.

For European organizations, this vulnerability can lead to unauthorized script execution on websites that use the GmapsMania plugin, potentially compromising user sessions and data confidentiality. Attackers with contributor access can inject malicious scripts that execute in the browsers of site visitors, including administrators or other privileged users, leading to credential theft, unauthorized actions, or distribution of malware. This can damage organizational reputation, lead to data breaches under GDPR regulations, and cause operational disruptions if administrative accounts are compromised. Organizations relying on WordPress-based public-facing websites, intranets, or portals that incorporate GmapsMania are at risk. The scope of impact extends to any user accessing the infected pages, increasing the potential damage. Since contributor-level access is sufficient for exploitation, organizations with open or lightly controlled user registration policies are particularly vulnerable. The lack of patches and known exploits means organizations must proactively mitigate the risk. The vulnerability does not directly affect availability but can indirectly cause service disruptions if exploited for further attacks or defacements.

1. Immediately audit WordPress sites for the presence of the GmapsMania plugin and identify versions in use. 2. Restrict contributor-level access strictly, ensuring only trusted users have such permissions. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious shortcode attribute inputs that may contain script tags or event handlers. 4. Employ Content Security Policy (CSP) headers to limit the execution of inline scripts and reduce the impact of XSS. 5. Monitor website content for unauthorized script injections or unexpected changes in pages using the gmap shortcode. 6. Educate content contributors about safe input practices and the risks of injecting untrusted content. 7. If possible, temporarily disable or remove the GmapsMania plugin until a security patch is released. 8. Keep WordPress core and all plugins updated regularly and subscribe to vendor security advisories for timely patching. 9. Use security plugins that can scan for XSS vulnerabilities and malicious code injections. 10. Implement multi-factor authentication for administrative accounts to mitigate the risk of credential theft via XSS.