CVE-2023-7225: 
WordPress vulnerability analysis and mitigation

The MapPress Maps for WordPress plugin is vulnerable to Stored Cross-Site Scripting (CVE-2023-7225) via the width and height parameters in versions up to and including 2.88.16. The vulnerability was discovered and publicly disclosed on January 29, 2024, affecting the MapPress Google Maps for WordPress plugin (Wordfence, Advisory).

The vulnerability stems from insufficient input sanitization and output escaping in the map settings functionality. The issue specifically affects the width and height parameters in the map configuration interface. The vulnerability has been assigned a CVSS v3.1 score of 5.4 (Medium) by NVD with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Wordfence assessed it at 6.4 (Medium) (NVD).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever any user accesses the compromised page, potentially leading to various cross-site scripting attacks (Advisory).

The vulnerability has been patched in version 2.88.17. Site administrators are strongly advised to update to this version or later to protect against potential attacks (WPScan).