{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7660", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-14T20:33:04.291Z", "datePublished": "2025-07-18T04:23:02.411Z", "dateUpdated": "2026-04-08T17:16:47.076Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:16:47.076Z"}, "affected": [{"vendor": "lewisking0072", "product": "Map My Locations", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Map My Locations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'map_my_locations' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Map My Locations <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3c84ad1-10c7-4b2f-82f3-7546fc8e337d?source=cve"}, {"url": "https://plugins.svn.wordpress.org/map-my-locations/trunk/public/class-map-my-locations-public.php"}, {"url": "https://plugins.svn.wordpress.org/map-my-locations/trunk/public/partials/map-my-locations-public-display.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-07-17T16:20:11.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-18T14:47:05.874532Z", "id": "CVE-2025-7660", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-18T14:56:45.751Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7660", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-18T14:47:05.874532Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-18T14:54:38.678Z"}}], "cna": {"title": "Map My Locations <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "lewisking0072", "product": "Map My Locations", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-17T16:20:11.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3c84ad1-10c7-4b2f-82f3-7546fc8e337d?source=cve"}, {"url": "https://plugins.svn.wordpress.org/map-my-locations/trunk/public/class-map-my-locations-public.php"}, {"url": "https://plugins.svn.wordpress.org/map-my-locations/trunk/public/partials/map-my-locations-public-display.php"}], "descriptions": [{"lang": "en", "value": "The Map My Locations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'map_my_locations' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:16:47.076Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7660", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:16:47.076Z", "dateReserved": "2025-07-14T20:33:04.291Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-18T04:23:02.411Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Map My Locations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'map_my_locations' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Map My Locations para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del shortcode 'map_my_locations' en todas las versiones hasta la 1.1 incluida, debido a una depuraci\u00f3n de entrada insuficiente y al escape de salida en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-7660", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-18T05:15:32.723", "references": [{"source": "security@wordfence.com", "url": "https://plugins.svn.wordpress.org/map-my-locations/trunk/public/class-map-my-locations-public.php"}, {"source": "security@wordfence.com", "url": "https://plugins.svn.wordpress.org/map-my-locations/trunk/public/partials/map-my-locations-public-display.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3c84ad1-10c7-4b2f-82f3-7546fc8e337d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:59:35.197572+00:00", "value": {"mitigation_remediation": ["Upgrade the Map My Locations plugin to a version newer than 1.1; the update removes the unsanitized shortcode attributes and fixes the vulnerability.", "If an upgrade is not possible, restrict or block the map_my_locations shortcode on publicly accessible content, ensuring that only trusted content editors can add it.", "Reduce the scope of user roles that can edit pages containing the shortcode\u2014either remove contributor privileges from those users or enforce stricter role management so that only administrators can edit such content."], "summary": {"action": "Apply patch", "impact": "Stored XSS via insufficient shortcode attribute sanitization"}, "threat_synthesis": {"affected_systems": "Affected WordPress sites that have the Map My Locations plugin by lewisking0072 installed in any version up to and including 1.1. The vulnerability is tied to the plugin's usage of the map_my_locations shortcode, which is rendered on pages or posts where site administrators have inserted it.", "description_and_impact": "The Map My Locations plugin contains a flaw where user\u2011supplied attributes passed to the 'map_my_locations' shortcode are not properly sanitized or escaped. This allows an authenticated contributor or higher level user to inject arbitrary JavaScript into the shortcode. When a page containing the malformed shortcode is viewed, the injected script runs in the browser context of each visitor.", "risk_and_exploitability": "The CVSS base score of 6.4 indicates moderate severity. The EPSS score is less than 1\u202f%, suggesting a low probability of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with contributor or higher permissions to edit a post or page that includes the map_my_locations shortcode, inject malicious attributes, and have another visitor load the affected page where the script executes."}}}}, "created": "2025-07-21T15:17:13.352464+00:00", "updated": "2026-04-21T04:00:10.075540+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}