CVE-2025-23518

The vulnerability is a Reflected Cross-Site Scripting (XSS) issue in the GoogleMapper WordPress plugin, affecting versions through 2.0.3. The plugin fails to properly neutralize input during web page generation, allowing injection of arbitrary HTML and JavaScript [1].

Exploitation requires user interaction: an attacker must trick a privileged user (e.g., administrator) into clicking a malicious link, visiting a crafted page, or submitting a form. The attack can be initiated by any role with access to the vulnerable parameter, but successful execution depends on the victim's action [1].

A successful attack allows the attacker to inject malicious scripts, which execute when other users (including regular visitors) access the site. This can lead to redirects, advertisements, or other harmful payloads. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns against thousands of websites [1].

Mitigation: The vendor has not released an official patch, but Patchstack offers a mitigation rule to block attacks until an update is available. Users are advised to update the plugin as soon as a patch is released, or contact their hosting provider for assistance [1].