CVE-2025-23871 - Vulnerability Details

- WordPress LSD Google Maps Embedder plugin <= 1.1 - CSRF to Stored XSS vulnerability

Description

Cross-Site Request Forgery (CSRF) vulnerability in Bas Matthee LSD Google Maps Embedder lsd-google-maps-embedder allows Cross Site Request Forgery.This issue affects LSD Google Maps Embedder: from n/a through <= 1.1.

Published: 2025-01-16

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A Cross‑Site Request Forgery issue in the Bas Matthee LSD Google Maps Embedder plugin allows an attacker who can trick an authenticated administrator into visiting a crafted URL to store malicious script data in the plugin’s settings. Because the data is rendered unfiltered on the site, the attacker can achieve persistent cross‑site scripting. This is classified as CWE‑352, which indicates a weakness in validating the origin of requests.

Affected Systems

The vulnerability affects WordPress sites running the Bas Matthee LSD Google Maps Embedder plugin version 1.1 or earlier. No other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS score of 7.1 reflects high impact, while the EPSS score of less than 1 % indicates a low likelihood of exploitation at the time of analysis. The issue is not included in the CISA KEV catalog. Exploitation requires the attacker to entice an administrator into executing a forged request; thus the attack vector is web‑based CSRF leading to stored XSS. If successful, the attacker can act on behalf of the site owner and potentially exfiltrate sensitive data or deface content.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Bas Matthee

LSD Google Maps Embedder

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.1

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the LSD Google Maps Embedder plugin to the latest version (any release newer than 1.1).
If an immediate update is not possible, deactivate the plugin to remove the vulnerable code from the site.
Restrict administrator access to trusted users and enable two‑factor authentication so that only legitimate staff can log in from approved locations.

Generated by OpenCVE AI on May 2, 2026 at 06:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-3492	Cross-Site Request Forgery (CSRF) vulnerability in Bas Matthee LSD Google Maps Embedder allows Cross Site Request Forgery.This issue affects LSD Google Maps Embedder: from n/a through 1.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00197.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/lsd-google-maps-embedder/vulnerability/wordpress-lsd-google-maps-embedder-plugin-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Cross-Site Request Forgery (CSRF) vulnerability in Bas Matthee LSD Google Maps Embedder allows Cross Site Request Forgery.This issue affects LSD Google Maps Embedder: from n/a through 1.1.	Cross-Site Request Forgery (CSRF) vulnerability in Bas Matthee LSD Google Maps Embedder lsd-google-maps-embedder allows Cross Site Request Forgery.This issue affects LSD Google Maps Embedder: from n/a through <= 1.1.
References	https://patchstack.com/database/wordpress/plugin/lsd-google-maps-embedder/vulnerability/wordpress-lsd-google-maps-embedder-plugin-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/lsd-google-maps-embedder/vulnerability/wordpress-lsd-google-maps-embedder-plugin-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Fri, 17 Jan 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 16 Jan 2025 20:30:00 +0000

Type	Values Removed	Values Added
Description		Cross-Site Request Forgery (CSRF) vulnerability in Bas Matthee LSD Google Maps Embedder allows Cross Site Request Forgery.This issue affects LSD Google Maps Embedder: from n/a through 1.1.
Title		WordPress LSD Google Maps Embedder plugin <= 1.1 - CSRF to Stored XSS vulnerability
Weaknesses		CWE-352
References		https://patchstack.com/database/wordpress/plugin/lsd-google-maps-embedder/vulnerability/wordpress-lsd-google-maps-embedder-plugin-1-1-csrf-to-stored-xss-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-01-16T20:07:29.281Z

Updated: 2026-05-12T23:43:00.762Z

Reserved: 2025-01-16T11:31:20.771Z

Link: CVE-2025-23871

Vulnrichment

Updated: 2025-01-17T17:17:21.276Z

NVD

Status : Deferred

Published: 2025-01-16T21:15:27.200

Modified: 2026-06-17T08:57:39.077

Link: CVE-2025-23871

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T06:15:06Z

Weaknesses

CWE-352
Cross-Site Request Forgery (CSRF)

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object