CVE-2025-8608: 
WordPress vulnerability analysis and mitigation

The Mihdan: Elementor Yandex Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting (CVE-2025-8608) in versions up to and including 1.6.11. The vulnerability was discovered and disclosed on September 30, 2025. The issue affects the plugin's block attributes functionality due to insufficient input sanitization and output escaping of user-supplied attributes (NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 6.4 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability stems from improper neutralization of input during web page generation, specifically in the plugin's handling of block attributes (Wordfence).

When exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page (NVD).

The vulnerability exists in versions up to and including 1.6.11 of the Mihdan: Elementor Yandex Maps plugin. Users should update to a patched version when available. In the meantime, it is recommended to restrict access to contributor roles and monitor for suspicious activity (NVD).