The Map My Locations plugin for WordPress, developed by lewisking0072, suffers from a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-7660. This vulnerability exists in all versions up to and including 1.1 due to improper neutralization of input during web page generation (CWE-79). Specifically, the plugin fails to adequately sanitize and escape user-supplied attributes passed to the 'map_my_locations' shortcode. Authenticated users with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts that utilize this shortcode. When other users visit these pages, the malicious scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on their behalf. The vulnerability has a CVSS v3.1 base score of 6.4, reflecting network attack vector, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change with limited confidentiality and integrity impact but no availability impact. No public exploits are currently known, but the vulnerability's presence in a popular WordPress plugin makes it a notable risk. The lack of patch links suggests that a fix may not yet be available, emphasizing the need for immediate mitigation.

If exploited, this vulnerability could allow attackers with contributor-level access to inject persistent malicious scripts into WordPress pages, affecting all users who view those pages. Potential impacts include theft of authentication cookies or tokens, enabling session hijacking, unauthorized actions performed in the context of affected users, defacement of website content, and distribution of malware or phishing content. For organizations, this could lead to compromised user accounts, loss of customer trust, reputational damage, and potential regulatory consequences if sensitive data is exposed. Since the vulnerability requires authenticated access, the risk is somewhat mitigated by access controls, but insider threats or compromised contributor accounts could still lead to exploitation. The scope change in the CVSS vector indicates that the vulnerability affects resources beyond the vulnerable component, increasing the potential impact on the overall system integrity and confidentiality.

1. Immediately restrict contributor-level and higher user privileges to trusted individuals only, minimizing the risk of insider exploitation. 2. Monitor and audit user-generated content that uses the 'map_my_locations' shortcode for suspicious or unexpected script tags or code. 3. Apply strict input validation and output escaping manually if patching is not yet available, for example by sanitizing shortcode attributes using WordPress functions like sanitize_text_field() and escaping output with esc_html() or esc_attr(). 4. Disable or remove the Map My Locations plugin temporarily until an official security patch is released. 5. Educate content contributors about the risks of injecting untrusted content and enforce secure content creation policies. 6. Use Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting this shortcode. 7. Keep WordPress core and all plugins updated to the latest versions to reduce exposure to known vulnerabilities. 8. Implement Content Security Policy (CSP) headers to limit the impact of potential XSS attacks by restricting script execution sources.