CVE-2025-2162: 
WordPress vulnerability analysis and mitigation

The MapPress Maps for WordPress plugin before version 2.94.10 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-2162. The vulnerability was discovered by Dmitrii Ignatyev and publicly disclosed on March 27, 2025. This security issue affects the plugin's settings functionality, specifically impacting WordPress installations (WPScan, NVD).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. The issue has been assigned a CVSS 3.1 Base Score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability specifically affects the Width field in the Map sizes section of the plugin's settings, allowing for XSS payload injection (WPScan).

When exploited, this vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is disabled, such as in multisite setups. The XSS payload can be triggered when editing a map or when editing a post containing a map shortcode (WPScan).

The vulnerability has been patched in version 2.94.10 of the MapPress Maps for WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).