CVE-2025-8622 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Flexible Map plugin for WordPress, developed by webaware. This vulnerability exists in all versions up to and including 1.18.0. The root cause is insufficient input sanitization and output escaping on user-supplied attributes within the plugin's Flexible Maps shortcode. Authenticated attackers with contributor-level privileges or higher can exploit this flaw by injecting arbitrary malicious scripts into pages via the shortcode. These scripts are then stored and executed whenever any user accesses the compromised page, leading to potential session hijacking, defacement, or other malicious actions within the context of the affected website. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based (remote), requires low attack complexity, and privileges at the level of contributor or above, but does not require user interaction. The scope is changed, meaning the vulnerability can affect resources beyond the initially compromised component. The impact affects confidentiality and integrity but not availability. No known exploits are reported in the wild yet, and no patches have been linked at the time of publication. This vulnerability falls under CWE-79, which covers improper neutralization of input during web page generation, a common and dangerous web security flaw.

For European organizations using WordPress websites with the Flexible Map plugin, this vulnerability poses a significant risk. Since the exploit requires contributor-level access, it primarily threatens organizations with multiple content editors or contributors, such as media companies, educational institutions, and public sector websites. Successful exploitation can lead to unauthorized script execution, enabling attackers to steal user credentials, perform unauthorized actions on behalf of users, or spread malware. This can damage organizational reputation, lead to data breaches involving personal data protected under GDPR, and cause compliance violations. The stored nature of the XSS means that any visitor to the compromised page is at risk, potentially amplifying the impact. Given the widespread use of WordPress in Europe and the common deployment of plugins like Flexible Map for location-based content, the threat is relevant to many sectors. However, the requirement for authenticated contributor access somewhat limits the attack surface to insider threats or compromised accounts.

European organizations should immediately audit their WordPress installations to identify the presence of the Flexible Map plugin and verify the version in use. Until an official patch is released, administrators should restrict contributor-level access to trusted users only and implement strict user account monitoring to detect suspicious activities. Employing Web Application Firewalls (WAFs) with custom rules to detect and block malicious shortcode payloads can provide interim protection. Additionally, organizations should sanitize and validate all user inputs related to plugin shortcodes manually if possible. Regularly updating WordPress core and plugins once patches become available is critical. Security teams should also educate contributors about phishing and credential security to prevent account compromise. Finally, monitoring website content for unexpected script injections and conducting periodic security scans will help detect exploitation attempts early.