CVE-2025-7660 is a stored Cross-Site Scripting (XSS) vulnerability affecting the 'Map My Locations' WordPress plugin developed by lewisking0072. This vulnerability exists in all versions up to and including 1.1 of the plugin. The root cause is insufficient input sanitization and output escaping of user-supplied attributes within the plugin's 'map_my_locations' shortcode. Authenticated users with contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages that utilize this shortcode. When other users visit these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or redirection to malicious sites. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based with low attack complexity, requiring privileges equivalent to a contributor role, no user interaction is needed for exploitation, and the impact affects confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no patches or updates have been linked yet. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation, a common cause of XSS issues in web applications.

For European organizations using WordPress sites with the 'Map My Locations' plugin, this vulnerability poses a moderate risk. Exploitation could allow attackers with contributor-level access to inject malicious scripts, compromising the confidentiality and integrity of user sessions and data. This could lead to unauthorized access to sensitive information, defacement of websites, or distribution of malware to site visitors. Organizations relying on WordPress for public-facing websites, intranets, or customer portals could suffer reputational damage and potential regulatory penalties under GDPR if personal data is compromised. Since the vulnerability requires authenticated access, insider threats or compromised contributor accounts are the primary risk vectors. The lack of availability impact means service disruption is unlikely, but the breach of trust and data leakage risks remain significant. The absence of known exploits in the wild reduces immediate urgency but does not eliminate the threat, especially if attackers develop exploits targeting this vulnerability.

European organizations should immediately audit their WordPress installations to identify the presence of the 'Map My Locations' plugin. If found, restrict contributor-level access and above to trusted personnel only until a patch is available. Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the 'map_my_locations' shortcode parameters. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regularly monitor logs for unusual activity related to shortcode usage or contributor actions. Encourage plugin developers or maintainers to release a security update that properly sanitizes and escapes user inputs. In the interim, consider disabling the shortcode or the plugin entirely if it is not critical to operations. Additionally, educate contributors about phishing and social engineering risks to prevent account compromise, as authenticated access is required for exploitation.