CVE-2025-5122 - Vulnerability Details

- Map Block Leaflet <= 3.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter

Description

The Map Block Leaflet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2025-05-29

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows a stored cross‑site scripting attack through the ‘url’ parameter of the Map Block Leaflet WordPress plugin. Insufficient input sanitization and output escaping enable authenticated users with Contributor or higher privileges to inject malicious JavaScript that executes in the browsers of any visitor to the affected page. The weakness is a classic example of a client‑side injection flaw, classified as CWE‑79.

Affected Systems

All installations of the Map Block Leaflet plugin up to and including version 3.2.1 are affected. The plugin is distributed by goiblas for WordPress sites. No other vendors or products are mentioned in the CNA data.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium‑severity flaw, while the EPSS score of less than 1% suggests that exploitation is currently unlikely in the wild. The vulnerability is not listed in the CISA KEV catalog. Because only authenticated users with Contributor‑level access can inject the payload, the attack vector is limited to authenticated usage rather than remote or unauthenticated exploitation. Successful exploitation would allow an attacker to compromise the confidentiality, integrity, and availability of the user experience for all visitors who view the infected page.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

goiblas

Map Block Leaflet

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.2.1

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Map Block Leaflet plugin to a version newer than 3.2.1, which removes the vulnerable parameter handling
If an upgrade is not immediately possible, temporarily disable the plugin or remove it from production sites to eliminate the attack surface
Implement a site‑wide content security policy that restricts script execution from untrusted sources, mitigating the impact of any remaining stored script payloads

Generated by OpenCVE AI on April 21, 2026 at 20:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-16368	The Map Block Leaflet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00203.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/map-block-leaflet/trunk/build/leaflet-map-block/render.php#L41
https://plugins.trac.wordpress.org/changeset/3302407/
https://wordpress.org/plugins/map-block-leaflet/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/372f1cf3-df33-444c-b31e-8f71d128e30b?source=cve

History

Thu, 29 May 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 29 May 2025 08:30:00 +0000

Type	Values Removed	Values Added
Description		The Map Block Leaflet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		Map Block Leaflet <= 3.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/map-block-leaflet/trunk/build/leaflet-map-block/render.php#L41 https://plugins.trac.wordpress.org/changeset/3302407/ https://wordpress.org/plugins/map-block-leaflet/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/372f1cf3-df33-444c-b31e-8f71d128e30b?source=cve
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-05-29T08:22:02.201Z

Updated: 2026-04-08T16:46:18.117Z

Reserved: 2025-05-23T17:18:43.336Z

Link: CVE-2025-5122

Vulnrichment

Updated: 2025-05-29T14:06:28.101Z

NVD

Status : Deferred

Published: 2025-05-29T09:15:27.940

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5122

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T20:45:25Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object