CVE-2025-47669

The CBX Map for Google Map & OpenStreetMap plugin (cbxgooglemap) versions up to and including 1.1.12 are vulnerable to DOM-Based Cross-Site Scripting (XSS) due to improper neutralization of input during web page generation [1]. This occurs when user-supplied input is not sanitized before being used in DOM manipulation, allowing an attacker to inject arbitrary HTML/JavaScript.

Exploitation requires user interaction, such as a privileged user clicking a malicious link or visiting a crafted page [1]. The attacker must trick the victim into performing an action, which can be achieved through social engineering or other means. No authentication is required from the attacker, but the victim must have some level of access.

Successful exploitation enables the attacker to inject malicious scripts into the website. These scripts can execute in the context of the victim's browser, leading to actions such as redirecting users to malicious sites, displaying advertisements, or stealing sensitive information [1].

The vulnerability has been addressed in version 2.0.0 of the plugin. Users are strongly advised to update to this version or later to mitigate the risk [1]. For those unable to update immediately, additional security measures like web application firewalls may be considered, but updating is the recommended course of action.