CVE-2025-8622

What the vulnerability is

The Flexible Map plugin for WordPress, up to and including version 1.18.0, fails to properly sanitize user-supplied attributes passed to the [flexiblemap] shortcode. Specifically, the plugin's custom str2js() function does not escape JavaScript context strings as securely as WordPress's built-in esc_js() function. This allows stored cross-site scripting (XSS) by injecting arbitrary JavaScript through attributes such as directions, zoomstyle, directionsfrom, maptype, maptypes, region, and locale [1][2].

How it is exploited

An attacker with contributor-level access or higher can create or edit a post/page containing the vulnerable shortcode and supply a malicious payload in any of the unsanitized attributes. When a site visitor views the affected page, the injected script executes within the context of that user's browser. No additional authentication is required on the part of the victim [1].

Impact

The attacker can perform actions such as stealing session cookies, redirecting users to malicious sites, defacing the page, or conducting other client-side attacks. Because the XSS is stored in the WordPress database, it persists until the malicious content is removed or the plugin is patched [1].

Mitigation

The vulnerability was addressed in the commit 1cbae2fa98e10c82d82a68e2bacfbdb7231117db by replacing the custom str2js() calls with WordPress's esc_js() function [2]. Users should update the Flexible Map plugin to version 1.18.1 or later, which contains this fix. No workaround is available for versions prior to the patch [1][2].