CVE-2025-3502: 
WordPress vulnerability analysis and mitigation

The WP Maps WordPress plugin before version 4.7.2 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-3502. The vulnerability was discovered and disclosed on April 10, 2025, affecting WordPress installations using the WP Maps plugin. This security issue specifically impacts high-privilege users such as administrators, particularly in multisite setups where unfiltered_html capability is disallowed (MITRE CVE, WPScan).

The vulnerability stems from improper sanitization and escaping of Map settings within the plugin. The security flaw allows privileged users to perform Stored Cross-Site Scripting attacks by manipulating certain map configuration parameters, specifically in the Map Theme Settings section. The vulnerability has a CVSS 3.1 base score of 4.8 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while CISA-ADP rates it at 3.5 (LOW) (NVD).

The vulnerability enables high-privilege users to inject malicious scripts through the Map settings, which could potentially be executed when other users view the affected maps. This creates a risk of session hijacking, credential theft, or other malicious actions performed in the context of the victim's browser (WPScan).

Users are advised to update to WP Maps plugin version 4.7.2 or later, which contains the security fix for this vulnerability. The update properly implements input sanitization and output escaping for Map settings (WPScan).