The Flexible Map plugin for WordPress, developed by webaware, suffers from a stored cross-site scripting (XSS) vulnerability identified as CVE-2025-8622. This vulnerability stems from improper neutralization of input during web page generation (CWE-79). Specifically, the plugin fails to adequately sanitize and escape user-supplied attributes in its Flexible Maps shortcode, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code. When a page containing the malicious shortcode is accessed by any user, the injected script executes in their browser context. This can lead to unauthorized actions such as session hijacking, data theft, or privilege escalation. The vulnerability affects all versions up to and including 1.18.0. The CVSS v3.1 base score is 6.4, reflecting network attack vector, low attack complexity, required privileges at the contributor level, no user interaction, and a scope change with low confidentiality and integrity impacts but no availability impact. No public exploits have been reported yet, but the vulnerability's presence in a widely used WordPress plugin makes it a significant risk. The issue was published on August 19, 2025, and no official patches have been linked yet, indicating users must rely on interim mitigations. The vulnerability highlights the importance of secure input validation and output encoding in WordPress plugins to prevent persistent XSS attacks.

If exploited, this vulnerability allows attackers with contributor-level access to inject persistent malicious scripts into WordPress pages via the Flexible Map shortcode. These scripts execute in the context of any user viewing the affected page, potentially leading to session hijacking, theft of sensitive information, unauthorized actions on behalf of users, and privilege escalation. The confidentiality and integrity of user data and site content are at risk. While availability is not directly impacted, the trustworthiness and security posture of affected websites can be severely damaged. Organizations relying on this plugin for mapping functionality on their WordPress sites face reputational damage, potential data breaches, and compliance issues. Since the attack requires authenticated access, insider threats or compromised contributor accounts pose a significant risk. The scope of impact is broad due to WordPress's global popularity and the plugin's usage, potentially affecting numerous websites worldwide.

1. Immediately restrict contributor-level and higher user privileges to trusted individuals only, minimizing the risk of malicious shortcode injection. 2. Monitor existing pages and posts for suspicious or unauthorized Flexible Maps shortcode usage that could contain injected scripts. 3. Implement web application firewall (WAF) rules to detect and block malicious script patterns in shortcode parameters. 4. Encourage users to update to a patched version once released by the vendor; in the meantime, consider disabling the Flexible Map plugin if feasible. 5. Apply manual input sanitization and output escaping in shortcode processing by customizing plugin code or using security plugins that enforce stricter content filtering. 6. Conduct regular security audits and user access reviews to detect compromised accounts or privilege misuse. 7. Educate content contributors about the risks of injecting untrusted content and the importance of secure content practices. 8. Employ Content Security Policy (CSP) headers to limit the impact of any injected scripts by restricting script sources and execution contexts.