{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8608", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-05T19:42:32.588Z", "datePublished": "2025-09-30T03:35:32.244Z", "dateUpdated": "2026-04-08T17:24:54.155Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:24:54.155Z"}, "affected": [{"vendor": "mihdan", "product": "Maps from Yandex for Elementor", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.6.11", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Mihdan: Elementor Yandex Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block attributes in all versions up to, and including, 1.6.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Mihdan: Elementor Yandex Maps <= 1.6.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Marker Pins", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d09a53cc-1773-467d-a9c7-72f343ed02a4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mihdan-elementor-yandex-maps/trunk/includes/class-widget.php#L1437"}, {"url": "https://github.com/mihdan/mihdan-elementor-yandex-maps/commit/e1eabf80f5f29dd6b5a9eb8f01f74daab0256043"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "timeline": [{"time": "2025-09-28T14:23:44.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-29T15:32:06.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-30T15:36:38.392619Z", "id": "CVE-2025-8608", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-30T15:36:49.865Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8608", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-30T15:36:38.392619Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-30T15:36:43.541Z"}}], "cna": {"title": "Mihdan: Elementor Yandex Maps <= 1.6.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Marker Pins", "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "mihdan", "product": "Maps from Yandex for Elementor", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.6.11"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-28T14:23:44.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-29T15:32:06.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d09a53cc-1773-467d-a9c7-72f343ed02a4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mihdan-elementor-yandex-maps/trunk/includes/class-widget.php#L1437"}, {"url": "https://github.com/mihdan/mihdan-elementor-yandex-maps/commit/e1eabf80f5f29dd6b5a9eb8f01f74daab0256043"}], "descriptions": [{"lang": "en", "value": "The Mihdan: Elementor Yandex Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block attributes in all versions up to, and including, 1.6.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:24:54.155Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8608", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:24:54.155Z", "dateReserved": "2025-08-05T19:42:32.588Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-30T03:35:32.244Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Mihdan: Elementor Yandex Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block attributes in all versions up to, and including, 1.6.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin Mihdan: Elementor Yandex Maps para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s de los atributos de bloque del plugin en todas las versiones hasta la 1.6.11, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados, con acceso de nivel de colaborador y superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2025-8608", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-30T11:37:45.953", "references": [{"source": "security@wordfence.com", "url": "https://github.com/mihdan/mihdan-elementor-yandex-maps/commit/e1eabf80f5f29dd6b5a9eb8f01f74daab0256043"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mihdan-elementor-yandex-maps/trunk/includes/class-widget.php#L1437"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d09a53cc-1773-467d-a9c7-72f343ed02a4?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:45:15.012846+00:00", "value": {"mitigation_remediation": ["Update the Mihdan: Elementor Yandex Maps plugin to the latest version (\u22651.6.12) where the marker pin attributes are properly sanitized and escaped to prevent XSS.", "If an upgrade is not immediately possible, remove contributor or higher users from the ability to create or edit map blocks by adjusting role capabilities or temporarily revoking map\u2011editing permissions.", "Optionally, review existing map blocks and manually remove any script tags or malicious content that may already be stored, or use a content\u2011sanitization plugin to cleanse the stored data."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All WordPress installations that use the Mihdan: Maps from Yandex for Elementor plugin version 1.6.11 or earlier. Sites that allow contributors or higher roles to create or edit map blocks are at risk. The vulnerability exists before and including 1.6.11; newer releases have addressed it.", "description_and_impact": "The Mihdan: Elementor Yandex Maps plugin for WordPress is vulnerable to stored cross\u2011site scripting through its block attributes. When a contributor\u2011level or higher user adds or edits a map block, the plugin does not sanitize or escape the marker pin data that contains user input. As a result, JavaScript or other malicious payloads can be stored in the database and will be injected into any page that renders the map. This flaw can be leveraged to steal session cookies, deface content, or execute arbitrary actions on behalf of any visitor who views the affected page.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate risk for potential impact. The EPSS score is less than 1%, suggesting that exploitation is currently rare, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access with contributor-level permissions or higher; the attacker must submit a malicious marker pin through the block editor. Once injected, the payload will execute whenever any user loads the page that contains the compromised map block."}}}}, "created": "2025-09-30T08:47:29.438256+00:00", "updated": "2026-04-20T21:45:18.979877+00:00", "vendors": ["elementor", "elementor$PRODUCT$elementor", "mihdan", "mihdan$PRODUCT$elementor_yandex_maps", "wordpress", "wordpress$PRODUCT$wordpress"]}