CVE-2025-9123 is a stored Cross-Site Scripting (XSS) vulnerability affecting the CBX Map for Google Map & OpenStreetMap WordPress plugin, developed by manchumahara. This vulnerability exists in all versions up to and including 1.1.12 due to improper input sanitization and output escaping of the popup heading and location address parameters. An authenticated attacker with Contributor-level privileges or higher can inject malicious JavaScript code into these parameters. Because the vulnerability is stored, the injected scripts persist in the database and execute whenever any user accesses the affected page containing the malicious payload. The vulnerability is classified under CWE-79, which relates to improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), and a scope change (S:C). The impact affects confidentiality and integrity but not availability. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk because it allows privilege escalation from contributor-level access to executing arbitrary scripts that can steal session cookies, perform actions on behalf of users, or deliver further payloads. The scope change indicates that the vulnerability affects components beyond the initially vulnerable plugin, potentially impacting other parts of the WordPress site. This vulnerability is particularly concerning for WordPress sites that use the CBX Map plugin to display geographic data with popups, as attackers can leverage the map interface to inject malicious content. Since the vulnerability requires contributor-level access, it is less likely to be exploited by anonymous attackers but remains a critical risk in environments with multiple users and contributors. The absence of a patch link suggests that a fix may not yet be available, emphasizing the need for immediate mitigation steps.

For European organizations, this vulnerability can lead to unauthorized disclosure of sensitive information, session hijacking, and potential site defacement or redirection. Organizations relying on WordPress sites with the CBX Map plugin for public-facing or internal applications could see compromised user accounts, especially if contributor-level access is granted to multiple users or third parties. The confidentiality and integrity of data can be undermined, leading to loss of trust, reputational damage, and potential regulatory non-compliance under GDPR if personal data is exposed. Additionally, attackers could leverage the vulnerability to pivot to other parts of the network or conduct phishing attacks by injecting malicious scripts that mimic legitimate site content. The medium severity score reflects that while the vulnerability is not trivially exploitable by unauthenticated users, the impact on affected systems can be significant. Given the widespread use of WordPress in Europe and the popularity of mapping plugins for location-based services, this vulnerability could affect a broad range of sectors including government, education, tourism, and local businesses.

1. Immediate mitigation should include restricting contributor-level access to trusted users only and auditing existing user privileges to minimize the attack surface. 2. Disable or remove the CBX Map for Google Map & OpenStreetMap plugin until a security patch is released. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting popup heading and location address parameters. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. 5. Regularly monitor logs and user activities for signs of exploitation attempts or anomalous behavior. 6. Once available, promptly apply vendor patches or updates addressing this vulnerability. 7. Educate content contributors about safe input practices and the risks of injecting untrusted content. 8. Consider implementing input validation and output encoding at the application level as an additional safeguard. These steps go beyond generic advice by focusing on access control, temporary plugin removal, and layered defenses tailored to this specific vulnerability.