CVE-2025-48151: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the CM Map Locations WordPress plugin, identified as CVE-2025-48151. The vulnerability affects all versions up to and including 2.1.6 of the plugin, which is designed to help users visualize and share locations. The issue was discovered by researcher Nguyen Xuan Chien and was publicly disclosed on July 21, 2025 (WPScan).

The vulnerability stems from insufficient input sanitization and output escaping in the CM Map Locations plugin. It has been assigned a CVSS score of 6.1 (medium severity) and is classified under CWE-79. The vulnerability falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan, Patchstack).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages that will execute when users perform specific actions, such as clicking on a malicious link. This could potentially lead to the injection of malicious scripts, redirects, advertisements, and other HTML payloads into the affected website (Patchstack).

The vulnerability has been fixed in version 2.1.7 of the CM Map Locations plugin. Users are advised to update to this version or later immediately. For those unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).