CVE-2025-62942 is a stored cross-site scripting (XSS) vulnerability identified in the WP Mapbox GL JS Maps plugin for WordPress, specifically affecting versions up to and including 3.0.1. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows an attacker with low privileges (such as a contributor or subscriber) to inject malicious JavaScript code that is stored persistently within the plugin's data. When other users, including administrators or editors, view the affected pages, the malicious script executes in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim. The vulnerability requires user interaction, such as viewing a compromised page, and does not allow direct remote code execution on the server. The CVSS v3.1 base score is 5.4, reflecting a medium severity with network attack vector, low attack complexity, low privileges required, and user interaction needed. The scope is changed, indicating that the vulnerability can affect resources beyond the initially vulnerable component. No known public exploits or patches are currently available, but the vulnerability has been publicly disclosed and assigned a CVE identifier. The plugin is used to integrate Mapbox GL JS maps into WordPress sites, which are common in various sectors for geospatial visualization and location-based services.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on WordPress sites with the WP Mapbox GL JS Maps plugin for customer-facing or internal applications. Successful exploitation can lead to theft of session cookies, enabling attackers to impersonate users with higher privileges, potentially leading to unauthorized data access or modification. This compromises confidentiality and integrity of information. While availability impact is minimal, the reputational damage and potential regulatory consequences under GDPR for data breaches involving personal data could be substantial. Organizations in sectors such as government, transportation, real estate, and tourism that use geospatial mapping on their websites are at higher risk. Additionally, attackers could use the vulnerability as a foothold for further attacks within the network, especially if administrative accounts are compromised. The medium severity score reflects a moderate risk, but the ease of exploitation by low-privilege users and the persistent nature of stored XSS increase the threat level in practical scenarios.

Immediate mitigation steps include restricting the ability to upload or input data into the WP Mapbox GL JS Maps plugin to trusted users only, minimizing the attack surface. Employ strict input validation and sanitization on all user-supplied data related to the plugin, even if the plugin itself does not currently do so adequately. Deploy a web application firewall (WAF) with rules to detect and block XSS payloads targeting the affected plugin endpoints. Monitor logs for suspicious activities indicative of XSS exploitation attempts. Educate site administrators and users about the risks of clicking on untrusted links or viewing untrusted content within the site. Once available, promptly apply official patches or updates from the plugin vendor. Consider isolating or sandboxing the plugin's output to limit script execution scope. Regularly audit WordPress plugins for vulnerabilities and maintain a robust patch management process. For critical environments, consider disabling the plugin temporarily until a fix is released.