CVE-2025-6259

Vulnerability

Details The esri-map-view plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 1.2.3. The flaw resides in the esri-map-view shortcode, where user-supplied attributes are insufficiently sanitized and not properly escaped before output. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts [1].

Exploitation

To exploit this vulnerability, an attacker must have at least a Contributor role on the WordPress site. They can craft a post or page containing the esri-map-view shortcode with malicious JavaScript in one of the attributes. When any user (including administrators or visitors) views the compromised page, the injected script executes in their browser. No other authentication or network position is required beyond standard WordPress content creation privileges [1].

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript within the context of the affected website. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information. The stored XSS persists in the database, affecting all subsequent visitors to the injected page [1].

Mitigation

Status The plugin has been closed as of August 1, 2025, and is no longer available for download due to this security issue [1]. Users running affected versions should immediately remove or disable the plugin and replace it with an alternative solution. No patched version exists, and no workaround has been provided.