CVE-2025-24758

Vulnerability

CVE-2025-24758 is a reflected Cross-Site Scripting (XSS) vulnerability in the WordPress plugin CM Map Locations, affecting versions up to and including 2.0.8 [1]. The root cause is improper neutralization of user-controlled input during web page generation, allowing an attacker to inject malicious HTML or JavaScript code into a response [1].

Exploitation

Exploitation requires user interaction — a victim must click a crafted link or visit a specially prepared page [1]. No special privileges beyond the attacker's ability to deliver the malicious URL are needed, though the attack is initiated by the role described in "Required Privilege" (likely an administrator or contributor) [1]. The reflected nature means the payload is not stored but immediately executed in the victim's browser session.

Impact

Successful exploitation allows an attacker to execute arbitrary scripts in the context of the victim's browser, potentially leading to redirections, ad injection, or theft of session cookies [1]. This could be used in mass exploitation campaigns targeting thousands of WordPress sites without regard for their popularity [1].

Mitigation

The vulnerability is fixed in version 2.0.9 of the plugin [1]. Users are strongly advised to update immediately. For those unable to update, applying a web application firewall (WAF) rule or using a security plugin like Patchstack can provide temporary protection [1].