{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4131", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-30T08:54:32.422Z", "datePublished": "2025-05-02T01:43:34.850Z", "dateUpdated": "2026-04-08T16:44:57.264Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:44:57.264Z"}, "affected": [{"vendor": "garubi", "product": "GmapsMania", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The GmapsMania plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's gmap shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "GmapsMania <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/30d39718-945a-43a2-be08-70be1af55965?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/gmapsmania/trunk/gmapsmania.php#L14"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-04-25T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-05-01T13:11:10.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-02T16:29:00.358455Z", "id": "CVE-2025-4131", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-02T16:29:24.560Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4131", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-02T16:29:00.358455Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-02T16:29:09.832Z"}}], "cna": {"title": "GmapsMania <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "garubi", "product": "GmapsMania", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-25T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-05-01T13:11:10.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/30d39718-945a-43a2-be08-70be1af55965?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/gmapsmania/trunk/gmapsmania.php#L14"}], "descriptions": [{"lang": "en", "value": "The GmapsMania plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's gmap shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:44:57.264Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4131", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:44:57.264Z", "dateReserved": "2025-04-30T08:54:32.422Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-02T01:43:34.850Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The GmapsMania plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's gmap shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento GmapsMania para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del shortcode de Gmap en todas las versiones hasta la 1.1 incluida, debido a una depuraci\u00f3n de entrada insuficiente y al escape de salida en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-4131", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-05-02T03:15:21.257", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/gmapsmania/trunk/gmapsmania.php#L14"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/30d39718-945a-43a2-be08-70be1af55965?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T02:04:01.699909+00:00", "value": {"mitigation_remediation": ["Update GmapsMania to the latest version (\u2265\u00a01.2).", "If an upgrade is not possible, remove or disable the gmap shortcode from all content to eliminate the vulnerability.", "Restrict or revoke untrusted contributor privileges so that only trusted users can add or edit content containing shortcodes."], "summary": {"action": "Apply patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All users of the garubi GmapsMania WordPress plugin running version 1.1 or earlier are affected. The flaw is resolved in releases newer than 1.1. Sites that have not yet applied the patch or have not upgraded to a later version remain vulnerable. The vulnerability requires the attacker to have at least Contributor role or higher to add or edit content containing the shortcode.", "description_and_impact": "The GmapsMania plugin for WordPress contains a stored cross\u2011site scripting flaw caused by insufficient sanitization and escaping of attributes supplied to the gmap shortcode. Attackers with authenticated contributor\u2011level access can insert arbitrary web scripts into the shortcode. Those scripts are written to the WordPress database and then rendered unescaped whenever a user views a page that contains the shortcode. The stored XSS permits the attacker to execute client\u2011side code in the browsers of any visitor to the affected page.", "risk_and_exploitability": "The CVSS score of 6.4 reflects a moderate severity. The EPSS score is below 1\u202f%, indicating a very low current probability of exploitation. The flaw is not listed in the CISA KEV catalog. Because the attack vector requires authenticated contributor access, the initial exploitation is limited to users with sufficient privileges. However, once a payload is stored, every visitor to the affected page will have the script executed on their browser."}}}}, "created": "2025-07-12T22:16:13.092723+00:00", "updated": "2026-04-28T02:15:18.698675+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}