CVE-2025-9123

Vulnerability

Description The CBX Map for Google Map & OpenStreetMap WordPress plugin, in versions up to and including 2.0.1, is vulnerable to Stored Cross-Site Scripting (XSS). The vulnerability arises from insufficient input sanitization and output escaping on the popup heading and location address parameters. This allows authenticated attackers to inject arbitrary web scripts that are stored and executed when other users access the affected page [1].

Exploitation

Attack Surface To exploit this vulnerability, an attacker must have at least Contributor-level access to the WordPress site. The attacker can inject malicious scripts via the heading or address fields when creating or editing a map. These scripts are then stored and executed in the context of the user’s browser whenever a page containing the map is viewed. No additional user interaction is required beyond visiting the page [1].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim’s browser. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information such as cookies and login credentials. The impact is limited to actions possible within the context of the WordPress site and the user’s session [1].

Mitigation

The vendor has not explicitly announced a patched version, but users are advised to update to the latest available version of the plugin to mitigate the risk. As a workaround, administrators can restrict Contributor-level users from editing maps or apply additional input validation and output escaping through custom code [1].