CVE-2025-67990

Vulnerability

Overview

The GMap Targeting plugin for WordPress, versions up to and including 1.1.7, contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This means the plugin fails to sanitize or escape certain parameters before including them in output, allowing an attacker to inject arbitrary HTML and JavaScript code.

Exploitation

Details

Exploitation requires user interaction—a privileged user (such as an administrator) must click a crafted link, visit a specially prepared page, or submit a malicious form [1] a malicious form. The attack does not require authentication for the initial delivery, but the victim must be logged into WordPress with sufficient privileges for the injected script to execute in the context of their session. This makes the vulnerability suitable for mass-exploit campaigns targeting thousands of sites [1].

Impact

Successful exploitation allows an attacker to inject malicious scripts that can perform actions such as redirecting visitors to attacker-controlled sites, displaying unauthorized advertisements, or delivering other HTML payloads [1]. The injected code executes in the browser of any user visiting the affected page, potentially leading to data theft, defacement, or further compromise of the WordPress installation.

Mitigation

The vulnerability has been patched in version 1.1.8 of the plugin [1]. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a mitigation rule that blocks attacks until the update can be applied [1]. Given the moderate severity (CVSS 7.1) and the expectation that this vulnerability will be actively exploited, prompt action is recommended.