CVE-2025-7660

The Map My Locations plugin for WordPress versions up to and including 1.1 is vulnerable to Stored Cross-Site Scripting (XSS) through its map_my_locations shortcode. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied shortcode attributes. In the plugin's public-facing display function (display_map in class-map-my-locations-public.php), attributes such as title, map, style, list, orderby, pin_color, and id are accepted via the shortcode_atts function [1]. These attributes are then processed and rendered by the map-my-locations-public-display.php partial, which outputs attribute values without adequate escaping, allowing malicious HTML or JavaScript to be stored [2].

An attacker must have at least Contributor-level access to a WordPress site to exploit this flaw. By crafting a shortcode with malicious attribute values (e.g., an XSS payload in the title attribute), the attacker can inject arbitrary web scripts. When an administrator or other user views a page or post containing that shortcode, the injected script executes in the context of the victim's browser session, because the stored payload is rendered by the front-end display template without proper sanitization [1][2].

Successful exploitation enables the attacker to perform actions such as session hijacking, defacement, or redirecting users to malicious sites. The vulnerability has a CVSS v3 base score of 6.4 (Medium), reflecting the requirement for authenticated access and the need for user interaction (viewing the compromised page) [description]. At the time of publication, users should upgrade to version 1.1.1 or later, which patches the input sanitization and output escaping weaknesses in the shortcode handler.