CVE-2025-3503: 
WordPress vulnerability analysis and mitigation

The WP Maps WordPress plugin before version 4.7.2 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed on April 10, 2025, affecting the Map settings functionality of the plugin. This security issue has been assigned CVE-2025-3503 and received a CVSS score of 3.5 (low severity) (WPScan, Wiz).

The vulnerability exists in the Map settings functionality where input validation is insufficient, specifically affecting the 'Infowindow Message for Locations' section of the map configuration. The plugin fails to properly sanitize and escape some of its Map settings, which could allow high privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is disabled. The vulnerability is classified under CWE-79 (WPScan, Wiz).

The vulnerability allows authenticated users with administrative privileges to store and execute malicious JavaScript code. This could potentially lead to attacks against other administrative users who access the map editing interface. The impact is particularly concerning in multisite WordPress installations where the unfiltered_html capability is typically restricted (Wiz).

Users should update to WP Maps version 4.7.2 or later, which contains the fix for this vulnerability. No alternative workarounds have been published (WPScan).