CVE-2025-62942 is a stored Cross-site Scripting (XSS) vulnerability found in the tempranova WP Mapbox GL JS Maps WordPress plugin, affecting all versions up to and including 3.0.1. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be stored persistently within the plugin's data. When a victim visits a compromised page, the injected script executes in their browser context, potentially enabling attackers to steal authentication cookies, perform actions on behalf of the user, deface the website, or deliver malware. The vulnerability is particularly dangerous because it is stored XSS, meaning the malicious payload remains on the server and affects all users who access the infected content. No CVSS score has been assigned yet, and no public exploits have been reported, but the risk remains significant due to the widespread use of WordPress and the popularity of mapping plugins. The vulnerability affects organizations that use this plugin to embed Mapbox GL JS maps on their WordPress sites, which may include government, educational, and commercial entities. The lack of a patch link indicates that a fix may not yet be available, increasing the urgency for interim mitigations. Attackers do not require authentication to exploit this vulnerability if the plugin allows unauthenticated input, increasing the attack surface. Stored XSS vulnerabilities are often leveraged in targeted attacks or mass exploitation campaigns, making timely remediation critical.

For European organizations, exploitation of this vulnerability could lead to significant confidentiality breaches through session hijacking, integrity issues via unauthorized content modification, and availability impacts if attackers deface or disrupt website functionality. Organizations that rely on WordPress sites with the WP Mapbox GL JS Maps plugin for public-facing services or internal portals could suffer reputational damage, loss of customer trust, and potential regulatory penalties under GDPR if personal data is compromised. The persistent nature of stored XSS increases the risk of widespread impact across all site visitors. Attackers could also use compromised sites as a vector to distribute malware or phishing content, further amplifying the threat. Critical infrastructure or government websites using this plugin could face targeted attacks aiming to disrupt services or gather intelligence. The absence of a patch at the time of disclosure means organizations must act quickly to implement mitigations to reduce exposure.

1. Monitor the vendor’s official channels and Patchstack for the release of an official security update and apply it immediately upon availability. 2. In the interim, restrict or sanitize all user inputs that interact with the WP Mapbox GL JS Maps plugin, especially those that can be stored and rendered on web pages. 3. Employ a Web Application Firewall (WAF) with rules designed to detect and block XSS payloads targeting this plugin. 4. Conduct a thorough audit of all content generated via the plugin to identify and remove any injected malicious scripts. 5. Limit user permissions on WordPress to trusted users only, minimizing the risk of malicious content injection. 6. Educate site administrators and developers about the risks of stored XSS and safe coding practices. 7. Consider temporarily disabling the plugin if it is not critical to operations until a patch is available. 8. Implement Content Security Policy (CSP) headers to reduce the impact of potential XSS exploitation by restricting script execution sources.