Description
The Meks Easy Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title field in all version up to, and including, 2.1.4. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the map containing the malicious post.
Published: 2025-10-03
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Update Plugin
AI Analysis

Impact

The Meks Easy Maps plugin for WordPress is vulnerable to stored cross‑site scripting because the title field of a map post is not properly sanitized or escaped before being rendered. An authenticated attacker with contributor or higher privileges can save a malicious script in the post title, causing the script to execute in the browser of any user who views the map. This allows the attacker to steal session cookies, deface pages, or launch secondary phishing attacks, all without requiring server‐side code execution.

Affected Systems

All WordPress sites that have the Meks Easy Maps plugin installed at version 2.1.4 or earlier are affected. The vulnerability exists regardless of the WordPress core version, as long as the plugin is present and a contributor or higher user can modify a map post.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity, and the EPSS score of less than 1% suggests that, as of now, exploitation is unlikely. The vulnerability is not listed in the CISA KEV catalog, and there are no publicly reported exploits. Attackers must first authenticate to the WordPress admin area and possess at least contributor privileges, after which they can inject the malicious payload into the title field. Once the payload is stored, any user who opens the map will trigger its execution. The risk escalates if the site has numerous contributor accounts or if the site is publicly accessible to attackers who can obtain credentials, but without those prerequisites the exposure is limited.

Generated by OpenCVE AI on April 21, 2026 at 02:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Meks Easy Maps to a version newer than 2.1.4 that includes the necessary input sanitization and output escaping.
  • If the plugin is not required, consider deactivating and removing it from the site to eliminate the attack surface entirely.
  • Restrict contributor or higher user permissions to read‑only or revoke unnecessary contributor accounts to reduce the chance that an authenticated user can inject malicious content.

Generated by OpenCVE AI on April 21, 2026 at 02:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-32267 The Meks Easy Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title field in all version up to, and including, 2.1.4. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the map containing the malicious post.
History

Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Mekshq
Mekshq meks Easy Maps
Wordpress
Wordpress wordpress
Vendors & Products Mekshq
Mekshq meks Easy Maps
Wordpress
Wordpress wordpress

Fri, 03 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Oct 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Meks Easy Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title field in all version up to, and including, 2.1.4. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the map containing the malicious post.
Title Meks Easy Maps <= 2.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Mekshq Meks Easy Maps
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:05.929Z

Reserved: 2025-08-19T18:21:12.181Z

Link: CVE-2025-9206

cve-icon Vulnrichment

Updated: 2025-10-03T14:48:48.067Z

cve-icon NVD

Status : Deferred

Published: 2025-10-03T12:15:47.070

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9206

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:45:25Z

Weaknesses