{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12369", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-27T20:07:43.306Z", "datePublished": "2025-11-04T04:27:17.014Z", "dateUpdated": "2026-04-08T16:59:06.233Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:06.233Z"}, "affected": [{"vendor": "hupe13", "product": "Extensions for Leaflet Map", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Extensions for Leaflet Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `geojsonmarker` shortcode in all versions up to, and including, 4.7. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Extensions for Leaflet Map <= 4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6be74779-4db7-4d44-a706-285375f4fec9?source=cve"}, {"url": "https://wordpress.org/plugins/extensions-leaflet-map"}, {"url": "https://plugins.trac.wordpress.org/browser/extensions-leaflet-map/tags/4.7/php/geojsonmarker.php#L90"}, {"url": "https://plugins.trac.wordpress.org/changeset/3387532/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "timeline": [{"time": "2025-11-03T15:33:02.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-04T16:47:26.251438Z", "id": "CVE-2025-12369", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-04T16:47:34.277Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12369", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-04T16:47:26.251438Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-04T16:47:31.045Z"}}], "cna": {"title": "Extensions for Leaflet Map <= 4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "hupe13", "product": "Extensions for Leaflet Map", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-03T15:33:02.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6be74779-4db7-4d44-a706-285375f4fec9?source=cve"}, {"url": "https://wordpress.org/plugins/extensions-leaflet-map"}, {"url": "https://plugins.trac.wordpress.org/browser/extensions-leaflet-map/tags/4.7/php/geojsonmarker.php#L90"}, {"url": "https://plugins.trac.wordpress.org/changeset/3387532/"}], "descriptions": [{"lang": "en", "value": "The Extensions for Leaflet Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `geojsonmarker` shortcode in all versions up to, and including, 4.7. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:06.233Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12369", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:59:06.233Z", "dateReserved": "2025-10-27T20:07:43.306Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-04T04:27:17.014Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Extensions for Leaflet Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `geojsonmarker` shortcode in all versions up to, and including, 4.7. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-12369", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-04T05:16:11.387", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/extensions-leaflet-map/tags/4.7/php/geojsonmarker.php#L90"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3387532/"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/extensions-leaflet-map"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6be74779-4db7-4d44-a706-285375f4fec9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T11:47:24.872124+00:00", "value": {"mitigation_remediation": ["Upgrade the Extensions for Leaflet Map plugin to a version newer than 4.7.", "Remove any geojsonmarker instances that contain malicious attributes from posts or pages.", "Review existing content for residual XSS payloads and sanitize if necessary."], "summary": {"action": "Update Plugin", "impact": "Stored cross\u2011site scripting via the geojsonmarker shortcode"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the Extensions for Leaflet Map plugin version 4.7 or earlier are affected. The vulnerability exists in every release up to and including 4.7, regardless of the installed WordPress version. Site administrators must verify whether the plugin is present on their instances.", "description_and_impact": "The Extensions for Leaflet Map plugin for WordPress contains a stored Cross\u2011Site Scripting flaw in the geojsonmarker shortcode. The plugin fails to sanitize and escape user\u2011supplied attributes, allowing an authenticated user with Contributor or higher privileges to inject arbitrary JavaScript. When a victim loads a page containing the malicious shortcode, the script runs in the victim's browser, potentially hijacking sessions, defacing content, or performing other client\u2011side attacks.", "risk_and_exploitability": "The flaw carries a CVSS score of 6.4, indicating moderate severity, while the EPSS score of less than 1\u202f% suggests that the likelihood of exploitation in the wild is currently low. The vulnerability is not listed in the CISA KEV catalog, implying no publicly confirmed exploits at this time. Attackers need only Contributor\u2011level access to inject payloads via the geojsonmarker shortcode, which then execute automatically for any user who views the affected page. Because the vectors are stored and user\u2011role dependent, the attack is feasible in a typical content\u2011management environment where contributors are allowed to edit posts."}}}}, "created": "2025-11-04T16:33:00.745427+00:00", "updated": "2026-04-22T12:00:05.919910+00:00", "vendors": ["hupe13", "hupe13$PRODUCT$extensions_for_leaflet_map", "wordpress", "wordpress$PRODUCT$wordpress"]}