CVE-2025-8608 is a stored cross-site scripting (XSS) vulnerability identified in the Mihdan: Elementor Yandex Maps plugin for WordPress, which is widely used to embed Yandex Maps within Elementor-built pages. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically due to insufficient sanitization and output escaping of user-supplied block attributes. This flaw allows authenticated attackers with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. Because the malicious scripts are stored persistently in the page content, they execute automatically whenever any user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all plugin versions up to and including 1.6.11. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits have been reported yet, but the vulnerability's nature makes it a significant risk for websites that allow contributor-level users to add or edit content. The plugin’s integration with Elementor and WordPress’s widespread use increases the potential attack surface. The vulnerability was published on September 30, 2025, with no patch links currently available, indicating that mitigation relies on access control and monitoring until an official fix is released.

For European organizations, this vulnerability poses a moderate risk primarily to websites using WordPress with the Mihdan: Elementor Yandex Maps plugin. The ability for contributor-level users to inject persistent XSS payloads can lead to session hijacking, defacement, unauthorized actions, and potential lateral movement within the web application. This can compromise the confidentiality of user data, integrity of website content, and trustworthiness of the affected sites. Organizations relying on WordPress for public-facing or internal portals may face reputational damage and regulatory scrutiny, especially under GDPR, if user data is compromised. The vulnerability does not directly impact availability but can facilitate further attacks that might. Since exploitation requires authenticated access, the risk is higher in environments with weak access controls or where contributor roles are broadly assigned. European entities with active content management workflows and multiple contributors are particularly vulnerable. The lack of known exploits reduces immediate threat but does not eliminate risk, as attackers may develop exploits once the vulnerability is publicized.

1. Immediately review and restrict contributor-level access on WordPress sites using the Mihdan: Elementor Yandex Maps plugin, ensuring only trusted users have such privileges. 2. Implement strict input validation and output encoding on all user-supplied content, especially block attributes related to the plugin, using security plugins or custom code if possible. 3. Monitor website content for suspicious scripts or unexpected changes, employing web application firewalls (WAFs) with XSS detection capabilities. 4. Disable or remove the Mihdan: Elementor Yandex Maps plugin if it is not essential until a patched version is released. 5. Keep WordPress core, themes, and plugins up to date, and subscribe to vendor security advisories for timely patching once available. 6. Educate content contributors about security best practices and the risks of injecting untrusted content. 7. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 8. Conduct regular security audits and penetration testing focused on user input handling and plugin vulnerabilities. 9. Consider implementing multi-factor authentication (MFA) to reduce the risk of compromised contributor accounts. 10. Backup website data regularly to enable quick restoration in case of compromise.