CVE-2025-3502

CWE-79Cross-site Scripting (XSS)CWE-409CWE-787Out-of-bounds Write5 documents5 sources
Severity
4.8MEDIUM
EPSS
0.2%
top 62.31%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown WP MapsWeplugins WP Maps
Timeline
PublishedMay 1
Latest updateOct 22

Description

The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

NVDweplugins/wp_maps< 4.7.2
CVEListV5unknown/wp_maps< 4.7.2

🔴Vulnerability Details

3
GHSA
pypdf can exhaust RAM via manipulated LZWDecode streams2025-10-22
CVEList
WP Maps < 4.7.2 - Admin+ Stored XSS2025-05-01
GHSA
GHSA-f6f3-grvj-5rhr: The WP Maps WordPress plugin before 42025-05-01

📋Vendor Advisories

1
Microsoft
LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3502 allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources the f2023-02-14
CVE-2025-3502 (MEDIUM CVSS 4.8) | The WP Maps WordPress plugin before | cvebase.io