Description
The Flexible Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Flexible Maps shortcode in all versions up to, and including, 1.18.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-08-19
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting allowing arbitrary script execution
Action: Patch Now
AI Analysis

Impact

The Flexible Map plugin’s shortcode stored user input without adequate sanitization or escaping, enabling authenticated users with contributor-level privileges to insert arbitrary web scripts into pages. This stored cross‑site scripting flaw permits injected code to execute in the browsers of any visitor to the compromised page, potentially leading to credential theft, session hijacking, or phishing attacks. The weakness corresponds to CWE‑79, reflecting improper output encoding.

Affected Systems

WordPress sites using the webaware Flexible Map plugin version 1.18.0 or earlier are vulnerable. Only users who have contributor or higher privileges can exploit the flaw by adding or editing content that includes the shortcode with malicious attributes. Site administrators should verify which variants of the plugin are deployed and whether the affected versions are present.

Risk and Exploitability

The recorded CVSS score of 6.4 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the foreseeable future. This vulnerability is not listed in the CISA KEV catalog, implying it has not yet been observed in widespread misuse. Exploitation requires authenticated access with at least contributor permissions, making the attack vector somewhat constrained but still significant for sites that allow contributors to add or edit content. The overall risk to a site depends on the trust level assigned to contributors and the presence of the plugin’s shortcode in publicly accessible pages.

Generated by OpenCVE AI on April 20, 2026 at 22:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Flexible Map plugin to the latest released version that includes the input validation and output escaping fixes.
  • If an immediate upgrade is not possible, remove or disable the Flexible Maps shortcode from posts and pages until the plugin can be patched.
  • Restrict contributor-level users from adding or editing content that uses the shortcode, or reduce their role to a level that does not grant permission to edit the shortcode attributes.

Generated by OpenCVE AI on April 20, 2026 at 22:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28802 The Flexible Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Flexible Maps shortcode in all versions up to, and including, 1.18.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Thu, 21 Aug 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 19 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 Aug 2025 07:45:00 +0000

Type Values Removed Values Added
Description The Flexible Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Flexible Maps shortcode in all versions up to, and including, 1.18.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Flexible Maps <= 1.18.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Flexible Maps Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:24:17.012Z

Reserved: 2025-08-05T20:47:43.413Z

Link: CVE-2025-8622

cve-icon Vulnrichment

Updated: 2025-08-19T13:25:00.562Z

cve-icon NVD

Status : Deferred

Published: 2025-08-19T08:15:30.750

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8622

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:00:11Z

Weaknesses