CVE-2025-3504: 
WordPress vulnerability analysis and mitigation

The WP Maps WordPress plugin (also known as WP Google Map Plugin) before version 4.7.2 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered by Dmitrii Ignatyev and publicly disclosed on April 10, 2025. The issue affects high-privilege users such as administrators, particularly in multisite setups where the unfiltered_html capability is disallowed (WPScan, MITRE).

The vulnerability stems from improper sanitization and escaping of Map settings within the plugin. The issue specifically involves the map_all_control[marker_default_icon] parameter, which can be manipulated to inject malicious scripts. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, while CISA-ADP assessed it with a score of 3.5 (LOW). The vulnerability is classified under OWASP Top 10 category A7: Cross-Site Scripting (XSS) and CWE-79 (NVD, WPScan).

When exploited, this vulnerability could allow high-privilege users to inject malicious scripts into the website. These scripts would be executed when other users visit the affected pages, potentially leading to unauthorized actions, data theft, or other malicious activities in the context of the victim's browser (Wiz).

Users are advised to update to WP Maps plugin version 4.7.2 or later, which contains the fix for this vulnerability. The issue has been patched in the latest release, and updating is the recommended solution to prevent potential exploitation (Wiz).