{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12415", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-28T15:42:03.979Z", "datePublished": "2025-11-04T04:27:19.056Z", "dateUpdated": "2026-04-08T17:02:36.430Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:36.430Z"}, "affected": [{"vendor": "sugiartha", "product": "MapMap", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The MapMap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the admin_shortcode_submit, admin_configuration_submit, and admin_shortcode_delete functions. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "MapMap <= 1.1 - Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7c0ed22d-6102-47d6-9afb-fed8515ea74c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mapmap/tags/1.1/mapmap.php#L418"}, {"url": "https://plugins.trac.wordpress.org/browser/mapmap/tags/1.1/mapmap.php#L397"}, {"url": "https://plugins.trac.wordpress.org/browser/mapmap/tags/1.1/mapmap.php#L447"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "dayea song"}], "timeline": [{"time": "2025-11-03T15:33:46.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-04T15:52:51.308119Z", "id": "CVE-2025-12415", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-04T15:53:00.650Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12415", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-04T15:52:51.308119Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-04T15:52:57.272Z"}}], "cna": {"title": "MapMap <= 1.1 - Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "dayea song"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "sugiartha", "product": "MapMap", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-03T15:33:46.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7c0ed22d-6102-47d6-9afb-fed8515ea74c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mapmap/tags/1.1/mapmap.php#L418"}, {"url": "https://plugins.trac.wordpress.org/browser/mapmap/tags/1.1/mapmap.php#L397"}, {"url": "https://plugins.trac.wordpress.org/browser/mapmap/tags/1.1/mapmap.php#L447"}], "descriptions": [{"lang": "en", "value": "The MapMap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the admin_shortcode_submit, admin_configuration_submit, and admin_shortcode_delete functions. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:36.430Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12415", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:02:36.430Z", "dateReserved": "2025-10-28T15:42:03.979Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-04T04:27:19.056Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The MapMap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the admin_shortcode_submit, admin_configuration_submit, and admin_shortcode_delete functions. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "id": "CVE-2025-12415", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-04T05:16:13.530", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mapmap/tags/1.1/mapmap.php#L397"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mapmap/tags/1.1/mapmap.php#L418"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mapmap/tags/1.1/mapmap.php#L447"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7c0ed22d-6102-47d6-9afb-fed8515ea74c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:40:42.385143+00:00", "value": {"mitigation_remediation": ["Update the MapMap plugin to the latest version that contains the CSRF fixes", "If an update is unavailable, deactivate or uninstall the plugin until a fixed version is released", "Implement additional CSRF protection for admin actions, such as a security plugin that requires nonce validation on all post requests to the plugin or WordPress admin"], "summary": {"action": "Apply patch", "impact": "Unauthorized modification of plugin settings and stored cross\u2011site scripting"}, "threat_synthesis": {"affected_systems": "All installations of the WordPress MapMap plugin version 1.1 and earlier, including the default \u201csugiartha:MapMap\u201d plugin, are affected. Any WordPress site that currently runs these versions and has the plugin activated, especially where administrators have not applied mitigations, is vulnerable.", "description_and_impact": "The MapMap plugin for WordPress contains a vulnerable Cross\u2011Site Request Forgery flaw (CWE\u2011352) that allows unauthenticated attackers to forge requests to the plugin's admin endpoints. By bypassing nonce checks on the admin_shortcode_submit, admin_configuration_submit, and admin_shortcode_delete functions, an attacker can modify the plugin\u2019s settings and inject arbitrary scripts that are stored in the database, leading to stored cross\u2011site scripting. This flaw can result in arbitrary configuration changes and the execution of malicious code within the context of authorized administrators, significantly compromising both confidentiality and integrity.", "risk_and_exploitability": "With a CVSS score of 6.1 this vulnerability is classified as moderate severity and is considered exploitable whenever an administrator can be persuaded to click a malicious link or submit a forged form. The EPSS score of less than 1% indicates a low probability of widespread exploitation, but the flaw remains uncovered in the CISA KEV catalog. Attackers would need to conduct social engineering against an admin, as the flaw is unauthenticated but requires the target to be logged in. Once exploited, the attacker can change plugin settings and inject stored scripts that run under the administrator context, potentially giving full control over the site\u2019s front\u2011end."}}}}, "created": "2025-11-04T16:33:23.735481+00:00", "updated": "2026-04-21T18:45:06.083030+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}