CVE-2025-13958

The YaMaps for WordPress plugin prior to version 0.6.40 contains a stored cross-site scripting (XSS) vulnerability in its shortcode implementation. The plugin fails to properly validate and escape certain shortcode attributes before outputting them in the page or post where the shortcode is embedded. This lack of sanitization allows an attacker to inject arbitrary JavaScript or HTML into the rendered content [1].

The vulnerability can be exploited by users with at least the Contributor role. The attacker needs to embed the affected shortcode with malicious payloads in the attribute values. When other users (including administrators) view the page or post, the injected script executes in their browser. The attack does not require any elevated privileges beyond the Contributor role and can be performed through the normal post-editing interface [1].

Successful exploitation leads to stored XSS, enabling an attacker can steal session cookies, perform actions on behalf of the victim, or deface the site. The impact is limited by the need for a user with Contributor access to trigger the injection, but the payload then affects all visitors to the compromised page.

The vulnerability is fixed in version 0.6.40 of the YaMaps for WordPress plugin. Users should update to the latest version to the latest version to eliminate the risk [1]. There are no known workarounds other than disabling the plugin or blocking access to shortcodes if updating is not possible.