CVE-2025-57952: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in icopydoc Maps for WP plugin, tracked as CVE-2025-57952. The vulnerability affects versions through 1.2.5 of the Maps for WP plugin and was disclosed on September 22, 2025. This security issue involves improper neutralization of input during web page generation, allowing for stored XSS attacks (NVD, Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring high privileges (PR:H) and user interaction (UI:R). The scope is changed (S:C) with low impacts on confidentiality, integrity, and availability. The vulnerability is classified under CWE-79: Improper Neutralization of Input During Web Page Generation (Patchstack).

The vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site. The impact severity is considered low, with limited effects on confidentiality, integrity, and availability of the system (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. The issue affects Maps for WP versions through 1.2.5. Given the low severity impact and unlikely exploitation potential, immediate mitigation may not be critical (Patchstack).