Description
The Mihdan: Elementor Yandex Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block attributes in all versions up to, and including, 1.6.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-09-30
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The Mihdan: Elementor Yandex Maps plugin for WordPress is vulnerable to stored cross‑site scripting through its block attributes. When a contributor‑level or higher user adds or edits a map block, the plugin does not sanitize or escape the marker pin data that contains user input. As a result, JavaScript or other malicious payloads can be stored in the database and will be injected into any page that renders the map. This flaw can be leveraged to steal session cookies, deface content, or execute arbitrary actions on behalf of any visitor who views the affected page.

Affected Systems

All WordPress installations that use the Mihdan: Maps from Yandex for Elementor plugin version 1.6.11 or earlier. Sites that allow contributors or higher roles to create or edit map blocks are at risk. The vulnerability exists before and including 1.6.11; newer releases have addressed it.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate risk for potential impact. The EPSS score is less than 1%, suggesting that exploitation is currently rare, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access with contributor-level permissions or higher; the attacker must submit a malicious marker pin through the block editor. Once injected, the payload will execute whenever any user loads the page that contains the compromised map block.

Generated by OpenCVE AI on April 20, 2026 at 21:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Mihdan: Elementor Yandex Maps plugin to the latest version (≥1.6.12) where the marker pin attributes are properly sanitized and escaped to prevent XSS.
  • If an upgrade is not immediately possible, remove contributor or higher users from the ability to create or edit map blocks by adjusting role capabilities or temporarily revoking map‑editing permissions.
  • Optionally, review existing map blocks and manually remove any script tags or malicious content that may already be stored, or use a content‑sanitization plugin to cleanse the stored data.

Generated by OpenCVE AI on April 20, 2026 at 21:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31680 The Mihdan: Elementor Yandex Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block attributes in all versions up to, and including, 1.6.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Tue, 30 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Sep 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Elementor
Elementor elementor
Mihdan
Mihdan elementor Yandex Maps
Wordpress
Wordpress wordpress
Vendors & Products Elementor
Elementor elementor
Mihdan
Mihdan elementor Yandex Maps
Wordpress
Wordpress wordpress

Tue, 30 Sep 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Mihdan: Elementor Yandex Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block attributes in all versions up to, and including, 1.6.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Mihdan: Elementor Yandex Maps <= 1.6.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Marker Pins
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Elementor Elementor
Mihdan Elementor Yandex Maps
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:24:54.155Z

Reserved: 2025-08-05T19:42:32.588Z

Link: CVE-2025-8608

cve-icon Vulnrichment

Updated: 2025-09-30T15:36:43.541Z

cve-icon NVD

Status : Deferred

Published: 2025-09-30T11:37:45.953

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8608

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:45:18Z

Weaknesses