CVE-2025-48151

Vulnerability

Overview

The CM Map Locations plugin for WordPress (versions up to and including 2.1.6) contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript into the application's response, which is then executed in the context of the victim's browser.

Exploitation

Details

Exploitation requires user interaction, such as clicking a crafted link or visiting a specially prepared page [1]. While the vulnerability can be initiated by a user with certain privileges, successful execution depends on a privileged user performing an action like clicking a malicious link or submitting a form [1]. This makes the attack feasible in scenarios where an attacker can trick an authenticated administrator or editor into interacting with a malicious payload.

Impact

If exploited, an attacker can inject malicious scripts that may perform actions such as redirecting visitors to malicious sites, displaying unauthorized advertisements, or stealing sensitive information [1]. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of WordPress sites [1].

Mitigation

The vulnerability is fixed in version 2.1.7 of the CM Map Locations plugin [1]. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a mitigation rule to block attacks until the update can be applied [1].