CVE-2025-8622

Published August 19th, 2025

View on NVD ↗

CVSS v3

6.4

MEDIUM

CVSS v2

N/A

Affected

PROJECTS

Description

The Flexible Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Flexible Maps shortcode in all versions up to, and including, 1.18.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

webaware/flexible-map

Embed Google Maps in WordPress pages and posts, either by centre coordinates or street address, or by URL to a Google Earth KML file.

GitHub

Flexible Map

<p>Flexible Map allows you to add Google Maps to your WordPress website with simple shortcodes.</p> <h3>Features</h3> <ul> <li>three ways to load a map: <ul> <li>by center coordinates</li> <li>by street address</li> <li>by URL to a Google Earth KML file</li> </ul> </li> <li>simple shortcode for adding maps to pages/posts</li> <li>PHP function <code>flexmap_show_map()</code> for theme and plugin developers</li> <li>supports multiple maps on a page/post</li> <li>supports responsive design — specify width / height in percent</li> <li>map marker doesn’t have to be the center of the map</li> <li>optional description for info window</li> <li>optional directions link for info window</li> <li>directions can be dropped into any div element with an ID</li> <li>minimal dependencies — just WordPress and the Google Maps API</li> </ul> <p><a href="https://flexible-map.webaware.net.au/manual/getting-started/" rel="nofollow ugc">Get started with Flexible Map</a>.<br /> <a href="https://flexible-map.webaware.net.au/manual/" rel="nofollow ugc">Read the manual online</a>.</p> <h3>Sponsorships</h3> <ul> <li>directions on KML maps generously sponsored by <a href="http://www.rogerlos.com/" rel="nofollow ugc">Roger Los</a></li> </ul> <p>Thanks for sponsoring new features on WP Flexible Maps!</p> <h3>Translations</h3> <p>Many thanks to the generous efforts of our translators:</p> <ul> <li>Czech (cs) — <a href="https://profiles.wordpress.org/caslavak/" rel="nofollow ugc">caslavak</a> and the <a href="https://translate.wordpress.org/locale/cs/default/wp-plugins/wp-flexible-map" rel="nofollow ugc">Czech translation team</a></li> <li>Dutch (nl) — <a href="https://lijndiensten.com/" rel="nofollow ugc">Ivan Beemster</a> and the <a href="https://translate.wordpress.org/locale/nl/default/wp-plugins/wp-flexible-map" rel="nofollow ugc">Dutch translation team</a></li> <li>English (en_CA) — <a href="https://translate.wordpress.org/locale/en-ca/default/wp-plugins/wp-flexible-map" rel="nofollow ugc">the English (Canadian) translation team</a></li> <li>French (fr) — <a href="https://profiles.wordpress.org/mister-klucha/" rel="nofollow ugc">mister klucha</a> and the <a href="https://translate.wordpress.org/locale/fr/default/wp-plugins/wp-flexible-map" rel="nofollow ugc">French translation team</a></li> <li>German (de) — <a href="https://www.caribdesign.com/" rel="nofollow ugc">Carib Design</a> and the <a href="https://translate.wordpress.org/locale/de/default/wp-plugins/wp-flexible-map" rel="nofollow ugc">German translation team</a></li> <li>Greek (el) — <a href="https://profiles.wordpress.org/ironwiller/" rel="nofollow ugc">Pantelis Orfanos</a></li> <li>Hungarian (hu) — Krisztián Vörös</li> <li>Italian (it_IT) — the <a href="https://translate.wordpress.org/locale/it/default/wp-plugins/wp-flexible-map" rel="nofollow ugc">Italian translation team</a></li> <li>Korean (ko_KR) — the <a href="https://translate.wordpress.org/locale/ko/default/wp-plugins/wp-flexible-map" rel="nofollow ugc">Korean translation team</a></li> <li>Swedish (sv_SE) — the <a href="https://translate.wordpress.org/locale/sv/default/wp-plugins/wp-flexible-map" rel="nofollow ugc">Swedish translation team</a></li> <li>Norwegian: Bokmål (nb_NO) — <a href="https://www.neonnero.com/" rel="nofollow ugc">neonnero</a></li> <li>Norwegian: Nynorsk (nn_NO) — <a href="https://www.neonnero.com/" rel="nofollow ugc">neonnero</a></li> <li>Portuguese (pt_BR) — Alexsandro Santos and Paulo Henrique</li> <li>Spanish (es) — <a href="https://profiles.wordpress.org/edurramos/" rel="nofollow ugc">edurramos</a></li> <li>Welsh (cy) — <a href="https://profiles.wordpress.org/dtom-ct-wp/" rel="nofollow ugc">Dylan</a></li> </ul> <p>The initial translations for all other languages were made using Google Translate, so it’s likely that some will be truly awful! If you’d like to help out by translating this plugin, please <a href="https://translate.wordpress.org/projects/wp-plugins/wp-flexible-map" rel="nofollow ugc">sign up for an account and dig in</a>.</p> <h3>Privacy</h3> <p>Flexible Map embeds Google Maps into your web pages. Please review Google’s <a href="https://cloud.google.com/maps-platform/terms/maps-controller-terms/" rel="nofollow ugc">Privacy and Personal Information</a> for information about how that affects your website’s Privacy Policy. By using this plugin, you are agreeing to the terms of use for Google Maps.</p> <p>The Flexible Map plugin itself does not collect any personally identifying information, and does not set any cookies itself.</p>

WordPress Plugin Directory

358K