CVE-2025-66098

The Travelers' Map plugin for WordPress versions 2.3.2 and earlier contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker to inject arbitrary HTML and JavaScript code that is stored on the server and executed in the browsers of visitors when they access the affected page.

Exploitation requires a privileged user (e.g., an editor or administrator) to perform an action such as clicking a malicious link or submitting a crafted form [1]. The attacker does not need direct access to the site; they can deliver the payload through social engineering or other means to a user with the necessary privileges. Once the malicious script is stored, it will execute for any visitor viewing the compromised content.

Successful exploitation can lead to a range of impacts, including redirecting visitors to malicious sites, displaying unauthorized advertisements, or stealing session cookies and other sensitive data [1]. The CVSS v3 base score of 6.5 reflects the medium severity, with the requirement for user interaction reducing the overall risk.

The vendor has released version 2.3.3 which resolves the vulnerability [1]. Users are strongly advised to update immediately. For those unable to update, enabling auto-updates for vulnerable plugins or consulting with a hosting provider is recommended as a temporary workaround [1].