CVE-2025-8608 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Mihdan: Elementor Yandex Maps plugin for WordPress, affecting all versions up to and including 1.6.11. The root cause is improper neutralization of input during web page generation (CWE-79), specifically due to insufficient sanitization and output escaping of user-supplied block attributes. Authenticated attackers with contributor-level or higher privileges can inject arbitrary JavaScript code into pages by manipulating these block attributes. When other users access the compromised pages, the injected scripts execute in their browsers, potentially enabling session hijacking, privilege escalation, or unauthorized actions within the context of the victim's session. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network (remote), low attack complexity, requiring privileges (PR:L), no user interaction, and scope change (S:C). No public exploits have been reported yet. The vulnerability affects the integrity and confidentiality of affected websites and their users but does not impact availability. Since the flaw requires authenticated access, exploitation is limited to users with at least contributor rights, which somewhat mitigates risk but still poses a significant threat in environments with multiple contributors or less restrictive access controls. No official patches or updates have been linked yet, so mitigation relies on access control hardening and monitoring.

The primary impact of CVE-2025-8608 is on the confidentiality and integrity of websites using the Mihdan: Elementor Yandex Maps plugin. Successful exploitation allows attackers to execute arbitrary scripts in the context of site visitors, potentially leading to session hijacking, theft of sensitive information, unauthorized actions on behalf of users, and distribution of malware. Organizations with multiple contributors or less stringent access controls are at higher risk, as attackers need contributor-level privileges to exploit the vulnerability. This can lead to reputational damage, data breaches, and compromised user trust. Since the vulnerability affects a popular WordPress plugin, the scope includes numerous websites globally, especially those leveraging Elementor and Yandex Maps integrations. Although availability is not directly impacted, the indirect consequences such as defacement or malicious redirects can disrupt normal operations. The lack of known active exploits reduces immediate risk but does not eliminate the threat, especially as attackers often target such vulnerabilities once disclosed.

To mitigate CVE-2025-8608, organizations should first verify if they use the Mihdan: Elementor Yandex Maps plugin and identify the version in use. Since no official patch is currently available, immediate steps include restricting contributor-level access to trusted users only and auditing existing contributors for suspicious activity. Implement strict input validation and output encoding on user-supplied content where possible, potentially via custom code or security plugins that enforce sanitization. Employ Web Application Firewalls (WAFs) with rules targeting XSS payloads to detect and block malicious requests. Monitor website logs and user activity for signs of exploitation attempts or unusual behavior. Educate contributors about the risks of injecting untrusted content. Once a patch or update is released by the vendor, promptly apply it. Additionally, consider disabling or replacing the plugin if it is not essential to reduce attack surface. Regular security assessments and penetration testing focusing on user input handling can help identify similar vulnerabilities proactively.