CVE-2025-2055: 
WordPress vulnerability analysis and mitigation

The MapPress Maps for WordPress plugin before version 2.94.9 contains a Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-2055. The vulnerability was discovered by Dmitrii Ignatyev and publicly disclosed on March 13, 2025. The issue stems from the plugin's failure to properly sanitize and escape certain parameters when outputting them on the page, potentially allowing users with contributor-level access or higher to perform Cross-Site Scripting attacks (WPScan, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 6.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H. The issue is classified as CWE-79 (Cross-Site Scripting) and falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS). The vulnerability can be exploited through the map creation interface where an attacker can inject malicious scripts into the 'Description Title' field (WPScan).

When successfully exploited, this vulnerability allows attackers with contributor-level access to inject and execute malicious JavaScript code in the context of other users' browsers who view the affected pages. This could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the victim's browser (WPScan).

The vulnerability has been patched in version 2.94.9 of the MapPress Maps for WordPress plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).