CVE-2025-24674: 
WordPress vulnerability analysis and mitigation

The ShMapper by Teplitsa WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability affecting versions up to 1.5.0. The vulnerability was discovered by Khang Duong and was disclosed on January 24, 2025, with CVE identifier CVE-2025-24674 (NVD, WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue due to insufficient input sanitization and output escaping. The CVSS v3.1 base score is 5.9 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. This vulnerability specifically affects multi-site installations and installations where unfiltered_html has been disabled (Patchstack).

The vulnerability allows authenticated attackers with editor-level permissions and above to inject arbitrary web scripts into pages. When users access an injected page, the malicious scripts will execute in their browser context, potentially leading to session hijacking, defacement, or other client-side attacks (WPScan).

The vulnerability has been patched in version 1.5.1 of the ShMapper by Teplitsa plugin. Site administrators are strongly advised to update to this version or later to mitigate the risk (Patchstack).