CVE-2025-8608

The Mihdan: Elementor Yandex Maps plugin for WordPress suffers from a stored cross-site scripting (XSS) vulnerability in all versions up to and including 1.6.11. The flaw arises from insufficient input sanitization and output escaping on user-supplied attributes within the plugin's blocks. Specifically, fields like balloon_content_header and balloon_content_body were rendered without proper escaping, allowing malicious scripts to be stored in the database[1].

To exploit this vulnerability, an attacker must be authenticated with at least contributor-level access to the WordPress site. The attacker can inject arbitrary JavaScript into plugin attributes via the block editor. When any user, including administrators or visitors, views the compromised page, the injected script executes within the context of the victim's browser[1].

Successful exploitation can lead to a range of impacts, including session hijacking, defacement of the site, or redirection to malicious websites. Since the XSS is stored, the payload persists and affects every subsequent visitor to the affected page.

The vulnerability has been addressed in version 1.7.0 of the plugin. The fix includes adding wp_kses_post() to sanitize output fields and modifying the template syntax from {{{ }}} to {{ }} to disable raw HTML rendering[1]. Users are advised to update to the latest version immediately.