Description
The Map My Locations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'map_my_locations' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-07-18
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS via insufficient shortcode attribute sanitization
Action: Apply patch
AI Analysis

Impact

The Map My Locations plugin contains a flaw where user‑supplied attributes passed to the 'map_my_locations' shortcode are not properly sanitized or escaped. This allows an authenticated contributor or higher level user to inject arbitrary JavaScript into the shortcode. When a page containing the malformed shortcode is viewed, the injected script runs in the browser context of each visitor.

Affected Systems

Affected WordPress sites that have the Map My Locations plugin by lewisking0072 installed in any version up to and including 1.1. The vulnerability is tied to the plugin's usage of the map_my_locations shortcode, which is rendered on pages or posts where site administrators have inserted it.

Risk and Exploitability

The CVSS base score of 6.4 indicates moderate severity. The EPSS score is less than 1 %, suggesting a low probability of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with contributor or higher permissions to edit a post or page that includes the map_my_locations shortcode, inject malicious attributes, and have another visitor load the affected page where the script executes.

Generated by OpenCVE AI on April 21, 2026 at 03:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Map My Locations plugin to a version newer than 1.1; the update removes the unsanitized shortcode attributes and fixes the vulnerability.
  • If an upgrade is not possible, restrict or block the map_my_locations shortcode on publicly accessible content, ensuring that only trusted content editors can add it.
  • Reduce the scope of user roles that can edit pages containing the shortcode—either remove contributor privileges from those users or enforce stricter role management so that only administrators can edit such content.

Generated by OpenCVE AI on April 21, 2026 at 03:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21839 The Map My Locations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'map_my_locations' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Fri, 18 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 18 Jul 2025 04:30:00 +0000

Type Values Removed Values Added
Description The Map My Locations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'map_my_locations' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Map My Locations <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:16:47.076Z

Reserved: 2025-07-14T20:33:04.291Z

Link: CVE-2025-7660

cve-icon Vulnrichment

Updated: 2025-07-18T14:54:38.678Z

cve-icon NVD

Status : Deferred

Published: 2025-07-18T05:15:32.723

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7660

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T04:00:10Z

Weaknesses