{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13850", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-01T19:55:39.821Z", "datePublished": "2025-12-12T03:21:00.781Z", "dateUpdated": "2026-04-08T17:29:24.057Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:24.057Z"}, "affected": [{"vendor": "ladislavsoukupgmailcom", "product": "LS Google Map Router", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LS Google Map Router plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'map_type' parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "LS Google Map Router <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3581172-10d8-4b11-95f7-ee1835e29606?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ls-gmap-route/trunk/ls-gmap_route.php#L61"}, {"url": "https://plugins.trac.wordpress.org/browser/ls-gmap-route/tags/1.1.0/ls-gmap_route.php#L61"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "timeline": [{"time": "2025-12-11T15:04:38.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-18T20:38:58.161840Z", "id": "CVE-2025-13850", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-18T20:39:07.097Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13850", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-18T20:38:58.161840Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-18T20:39:03.157Z"}}], "cna": {"title": "LS Google Map Router <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "ladislavsoukupgmailcom", "product": "LS Google Map Router", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-11T15:04:38.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3581172-10d8-4b11-95f7-ee1835e29606?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ls-gmap-route/trunk/ls-gmap_route.php#L61"}, {"url": "https://plugins.trac.wordpress.org/browser/ls-gmap-route/tags/1.1.0/ls-gmap_route.php#L61"}], "descriptions": [{"lang": "en", "value": "The LS Google Map Router plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'map_type' parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-12T03:21:00.781Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13850", "state": "PUBLISHED", "dateUpdated": "2025-12-18T20:39:07.097Z", "dateReserved": "2025-12-01T19:55:39.821Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T03:21:00.781Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The LS Google Map Router plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'map_type' parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-13850", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T04:15:42.817", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ls-gmap-route/tags/1.1.0/ls-gmap_route.php#L61"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/ls-gmap-route/trunk/ls-gmap_route.php#L61"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3581172-10d8-4b11-95f7-ee1835e29606?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T00:51:52.217886+00:00", "value": {"mitigation_remediation": ["Update LS Google Map Router to the latest stable release that addresses the XSS issue (any version newer than 1.1.0).", "If an update is unavailable, block or remove the 'map_type' parameter from the shortcode or disable shortcodes for Contributor users.", "Review and tighten user roles so that only trusted administrators can manage and insert shortcodes.", "Ensure WordPress core and other plugins are kept up to date."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the LS Google Map Router plugin by ladislavsoukupgmailcom, all WordPress installations running any version up to and including 1.1.0.", "description_and_impact": "The LS Google Map Router plugin for WordPress contains a stored cross\u2011site scripting flaw that is triggered via the 'map_type' shortcode attribute. Insufficient input sanitization and output escaping allow an authenticated user with Contributor access or higher to embed arbitrary JavaScript. When a user visits a page containing the injected shortcode, the script executes under the victim\u2019s browser context, risking theft of credentials, session hijacking, or defacement.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity. With an EPSS less than 1% the likelihood of active exploitation in the wild appears low, and the vulnerability is not catalogued in the CISA KEV list. However, the requirement for Contributor\u2011level authentication means the attack surface is limited to users already granted content\u2011creation privileges. Attackers can craft a malicious shortcode in the plugin interface or edit content, and the injected script will persist until removed. Given the limited privilege requirement and the potential for cross\u2011site attacks, administrators should treat it as a moderate\u2011risk internal threat and apply remediation promptly."}}}}, "created": "2025-12-12T08:48:29.358997+00:00", "updated": "2026-04-21T01:00:12.956708+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}