CVE-2025-66093

Vulnerability

Overview The Extensions for Leaflet Map plugin for WordPress (versions through 4.8) contains a DOM-Based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This flaw enables an attacker to inject arbitrary JavaScript code into the DOM, which is then executed in the browser of a victim visiting a crafted page.

Exploitation

Details Exploitation requires user interaction—a privileged user must perform an action such as clicking a malicious link, visiting a specially crafted page, or submitting a form. The attacker does not need direct network access to the server but can deliver the payload through any input that is reflected in the page. The vulnerability is classified as medium severity (CVSS 6.5) and is known to be targeted in mass-exploit campaigns.

Impact

Successful exploitation allows an attacker to execute arbitrary scripts in the context of the victim's browser. This can lead to session hijacking, redirection to malicious sites, injection of advertisements, or other HTML/JavaScript payloads that compromise the integrity of the vulnerable site.

Mitigation

The plugin developer has released version 4.9, which fixes the vulnerability. Users are strongly advised to update immediately. If updating is not possible, site administrators should apply additional security measures such as input validation or seek assistance from their hosting provider. Patchstack users can enable auto-updates for vulnerable plugins [1].