Medium severity6.4NVD Advisory· Published Sep 26, 2025· Updated Apr 15, 2026
CVE-2025-9044
CVE-2025-9044
Description
The Mapster WP Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple fields in versions up to, and including, 1.20.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected products
2- Range: <=1.20.0
- Range: <=1.20.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- plugins.trac.wordpress.org/browser/mapster-wp-maps/tags/1.18.0/admin/includes/acf-map-fields.phpnvd
- plugins.trac.wordpress.org/browser/mapster-wp-maps/tags/1.18.0/admin/includes/acf-map-fields.phpnvd
- plugins.trac.wordpress.org/browser/mapster-wp-maps/tags/1.18.0/admin/includes/acf-map-fields.phpnvd
- plugins.trac.wordpress.org/browser/mapster-wp-maps/tags/1.18.0/admin/includes/acf-map-fields.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/b0f2c7f0-ff24-4489-9fb4-8a98ac6dc09anvd
News mentions
0No linked articles in our index yet.