CVE-2025-58265 is a Stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting the Stonehenge Creations Events Manager – OpenStreetMaps plugin. This vulnerability arises from improper neutralization of input during web page generation, allowing malicious scripts to be injected and stored within the application. When other users access the affected pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability impacts versions up to 4.2.1 of the Events Manager – OpenStreetMaps plugin. The CVSS v3.1 base score is 6.5, indicating a medium severity level. The vector string (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) shows that the attack can be performed remotely over the network with low attack complexity, requires low privileges and user interaction, and has a scope change, affecting confidentiality, integrity, and availability to a limited extent. No known exploits are currently reported in the wild, and no patches have been linked yet, suggesting the vulnerability is relatively new. The vulnerability is significant because stored XSS can be leveraged for persistent attacks against users of the affected system, especially in environments where the plugin is used to manage event data and map integrations, potentially exposing sensitive user information and enabling further exploitation.

For European organizations using the Stonehenge Creations Events Manager – OpenStreetMaps plugin, this vulnerability poses a risk of persistent cross-site scripting attacks that can compromise user accounts, steal sensitive data, and disrupt event management operations. Given that event management platforms often handle personal data, including user registrations and location information, exploitation could lead to breaches of GDPR regulations, resulting in legal and financial repercussions. Additionally, attackers could leverage the XSS vulnerability to perform phishing or social engineering attacks targeting employees or customers, undermining trust and causing reputational damage. The scope change in the vulnerability means that exploitation could affect multiple users and systems beyond the initially compromised component, increasing the potential impact. Organizations relying on this plugin for public-facing event management or internal scheduling should be particularly cautious, as attackers could manipulate event data or inject malicious content that affects a broad user base.

European organizations should immediately audit their use of the Events Manager – OpenStreetMaps plugin and identify affected versions (up to 4.2.1). Until an official patch is released, implement strict input validation and output encoding on all user-supplied data related to event creation and map inputs to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Monitor web application logs for unusual input patterns or repeated failed attempts to inject scripts. Educate users to recognize suspicious content and avoid clicking on unexpected links or inputs within the event management system. Consider deploying Web Application Firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting this plugin. Once a patch becomes available, prioritize its deployment and verify the effectiveness of the fix through penetration testing. Additionally, review and update incident response plans to address potential XSS exploitation scenarios.