{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9044", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-14T18:35:47.572Z", "datePublished": "2025-09-26T03:25:34.873Z", "dateUpdated": "2026-04-08T17:16:05.449Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:16:05.449Z"}, "affected": [{"vendor": "mapster", "product": "Mapster WP Maps", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.20.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Mapster WP Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple fields in versions up to, and including, 1.20.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Mapster WP Maps <= 1.20.0 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b0f2c7f0-ff24-4489-9fb4-8a98ac6dc09a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mapster-wp-maps/tags/1.18.0/admin/includes/acf-map-fields.php#L15547"}, {"url": "https://plugins.trac.wordpress.org/browser/mapster-wp-maps/tags/1.18.0/admin/includes/acf-map-fields.php#L13932"}, {"url": "https://plugins.trac.wordpress.org/browser/mapster-wp-maps/tags/1.18.0/admin/includes/acf-map-fields.php#L13952"}, {"url": "https://plugins.trac.wordpress.org/browser/mapster-wp-maps/tags/1.18.0/admin/includes/acf-map-fields.php#L13972"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3363333%40mapster-wp-maps&new=3363333%40mapster-wp-maps&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "timeline": [{"time": "2025-08-15T08:25:43.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-25T14:31:06.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-26T19:32:59.512985Z", "id": "CVE-2025-9044", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-26T19:33:20.268Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9044", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-26T19:32:59.512985Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-26T19:33:10.442Z"}}], "cna": {"title": "Mapster WP Maps <= 1.20.0 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "mapster", "product": "Mapster WP Maps", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.20.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-15T08:25:43.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-25T14:31:06.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b0f2c7f0-ff24-4489-9fb4-8a98ac6dc09a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mapster-wp-maps/tags/1.18.0/admin/includes/acf-map-fields.php#L15547"}, {"url": "https://plugins.trac.wordpress.org/browser/mapster-wp-maps/tags/1.18.0/admin/includes/acf-map-fields.php#L13932"}, {"url": "https://plugins.trac.wordpress.org/browser/mapster-wp-maps/tags/1.18.0/admin/includes/acf-map-fields.php#L13952"}, {"url": "https://plugins.trac.wordpress.org/browser/mapster-wp-maps/tags/1.18.0/admin/includes/acf-map-fields.php#L13972"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3363333%40mapster-wp-maps&new=3363333%40mapster-wp-maps&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Mapster WP Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple fields in versions up to, and including, 1.20.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:16:05.449Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9044", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:16:05.449Z", "dateReserved": "2025-08-14T18:35:47.572Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-26T03:25:34.873Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Mapster WP Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple fields in versions up to, and including, 1.20.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-9044", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-26T04:16:02.280", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mapster-wp-maps/tags/1.18.0/admin/includes/acf-map-fields.php#L13932"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mapster-wp-maps/tags/1.18.0/admin/includes/acf-map-fields.php#L13952"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mapster-wp-maps/tags/1.18.0/admin/includes/acf-map-fields.php#L13972"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mapster-wp-maps/tags/1.18.0/admin/includes/acf-map-fields.php#L15547"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3363333%40mapster-wp-maps&new=3363333%40mapster-wp-maps&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b0f2c7f0-ff24-4489-9fb4-8a98ac6dc09a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:28:33.619339+00:00", "value": {"mitigation_remediation": ["Upgrade Mapster WP\u00a0Maps to the latest available version (>=\u202f1.21).", "If an upgrade is not possible, disable or uninstall the plugin to eliminate the vulnerable code path.", "Restrict contributor and higher roles from editing map fields, or remove unnecessary map features from the site\u2019s configuration to limit the attack surface."], "summary": {"action": "Update Plugin", "impact": "Stored X\u2011SS\u00a0(Contributor+)."}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Mapster\u00a0WP\u00a0Maps plugin installed with a version equal to or older than 1.20.0 are affected. The plugin is provided by the vendor Mapster and is deployed as a WordPress plugin, so any site that installs it uses the vulnerable code path. No other products are listed as affected.", "description_and_impact": "The Mapster WP\u00a0Maps plugin for WordPress is vulnerable to stored cross\u2011site scripting in versions up to 1.20.0 because it fails to sanitize and escape user input in several admin fields. An authenticated attacker with contributor permissions or higher can inject arbitrary scripts that are then stored in the database and served because the plugin outputs the values without escaping. The injected scripts run in the browser context of anyone visiting the affected page, enabling session hijacking, content theft, or site defacement. The weakness is a classic input validation flaw (CWE\u201179).", "risk_and_exploitability": "The vulnerability receives a CVSS score of 6.4, indicating moderate severity. The EPSS score is below 1\u202f%, implying a very low probability of exploitation at the time of analysis, and it is not flagged in CISA\u2019s KEV catalog. The attack requires an authenticated user with at least contributor privileges, so the risk is limited to sites with such roles available. If a user gains that access, the attacker can inject persistent scripts that execute on all subsequent page loads of visitors. The exploit path is straightforward: a contributor edits a map field, submits arbitrary JavaScript, and the plugin stores and later outputs it unescaped."}}}}, "created": "2025-09-26T11:35:17.525613+00:00", "updated": "2026-04-20T19:30:06.170846+00:00", "vendors": ["mapster", "mapster$PRODUCT$mapster_wp_maps", "wordpress", "wordpress$PRODUCT$wordpress"]}