The CBX Map for Google Map & OpenStreetMap plugin for WordPress suffers from a stored cross-site scripting (XSS) vulnerability identified as CVE-2025-9123. This vulnerability is due to improper neutralization of input during web page generation (CWE-79), specifically in the handling of popup heading and location address parameters. Versions up to and including 1.1.12 fail to adequately sanitize and escape user-supplied input, allowing authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code. Because the malicious script is stored persistently, it executes every time a user accesses the compromised page, potentially affecting administrators, editors, and visitors. The vulnerability is exploitable remotely over the network without user interaction, but requires at least Contributor-level authentication, limiting exposure to some extent. The CVSS 3.1 base score of 6.4 reflects a medium severity, with low attack complexity and partial impact on confidentiality and integrity but no impact on availability. No patches or official fixes are currently linked, and no known exploits have been observed in the wild. This vulnerability poses a risk of session hijacking, privilege escalation, data theft, or defacement within affected WordPress sites using this plugin.

The primary impact of CVE-2025-9123 is the potential for attackers with Contributor-level access to inject persistent malicious scripts into web pages, which execute in the context of any user viewing those pages. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, unauthorized actions performed on behalf of users, and website defacement. For organizations, this undermines the confidentiality and integrity of their web applications and user data. Although availability is not directly affected, the reputational damage and potential compliance violations can be significant. Since the vulnerability requires authenticated access, the risk is mitigated somewhat, but many WordPress sites allow Contributor or higher roles to multiple users, increasing the attack surface. Exploitation could facilitate lateral movement within the site or broader compromise if administrative users are targeted. Given the widespread use of WordPress and mapping plugins, organizations relying on this plugin for location services or interactive maps are at risk of targeted attacks, especially in sectors with high-value data or public-facing portals.

Organizations should immediately audit their WordPress installations to identify the use of the CBX Map for Google Map & OpenStreetMap plugin and verify the version in use. Since no official patch is currently available, administrators should consider the following mitigations: restrict Contributor-level permissions to trusted users only, implement strict input validation and output encoding at the application or web server level, and employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting popup heading and location address parameters. Additionally, monitoring logs for unusual script injection attempts and user behavior anomalies can help detect exploitation attempts. Site administrators should also consider temporarily disabling or removing the plugin until a secure version is released. Educating users about the risks of XSS and maintaining regular backups will aid in recovery if exploitation occurs. Finally, subscribing to vendor or security mailing lists for updates on patches is critical for timely remediation.