CVE-2025-13364 Overview
CVE-2025-13364 is a Stored Cross-Site Scripting (XSS) vulnerability in the WP Maps WordPress plugin, also known as wp-google-map-plugin. The flaw affects all versions up to and including 4.8.7 and stems from insufficient input sanitization and output escaping on user-supplied attributes within the put_wpgm shortcode [CWE-79]. Authenticated attackers holding contributor-level access or higher can inject arbitrary web scripts that execute when any visitor renders the affected page. The plugin advertises Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory, and Filters functionality, giving the issue broad install exposure.
Critical Impact
Authenticated contributors can inject persistent JavaScript into WordPress pages, enabling session theft, administrative account takeover, and arbitrary redirection of site visitors.
Affected Products
- WP Maps – Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory & Filters plugin for WordPress
- All versions up to and including 4.8.7
- WordPress sites permitting contributor-or-higher user registration
Discovery Timeline
- 2026-04-16 - CVE-2025-13364 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2025-13364
Vulnerability Analysis
The vulnerability resides in the handler for the put_wpgm shortcode shipped by the WP Maps plugin. Shortcode attributes pass through the plugin without proper sanitization on input and without escaping on output. When a contributor embeds the shortcode with attacker-controlled attribute values, the plugin renders those values directly into the page HTML. The browser parses the injected payload as executable script in the context of the WordPress site origin.
Because the payload is stored in the post or page record, every subsequent visitor — including authenticated administrators — triggers the injected JavaScript. Typical post-exploitation outcomes include theft of authentication cookies, forced password resets, plugin or theme modification through the admin REST endpoints, and pivoting to full site takeover.
Root Cause
The put_wpgm shortcode callback fails to apply WordPress sanitization helpers such as sanitize_text_field() on incoming attributes and omits escaping helpers such as esc_attr() or esc_html() when rendering output. The fix landed in version 4.8.8 per the plugin changeset published on plugins.trac.wordpress.org.
Attack Vector
The attack requires network access and authenticated contributor privileges. No user interaction is required for the stored payload to execute once a victim loads the page. The scope change (S:C) reflects that the injected script runs in the WordPress origin and can affect administrators who never authored the malicious content.
The vulnerability is exploited entirely through standard WordPress post and shortcode mechanics — no custom binary or network protocol is involved. See the Wordfence Vulnerability Report for additional technical detail.
Detection Methods for CVE-2025-13364
Indicators of Compromise
- Post or page revisions authored by contributor accounts containing [put_wpgm ...] shortcodes with attributes holding <script>, onerror=, onload=, or javascript: substrings.
- Outbound browser requests from admin sessions to unfamiliar domains shortly after viewing pages that embed the put_wpgm shortcode.
- Unexpected administrator account creation or privilege changes following contributor publishing activity.
Detection Strategies
- Query the wp_posts table for post_content LIKE '%put_wpgm%' and review attribute values for HTML or JavaScript syntax.
- Inspect the rendered HTML of pages embedding the shortcode for inline event handlers or <script> tags sourced from contributor authors.
- Correlate WordPress audit logs of contributor publish events with subsequent administrator session activity from the same client IP ranges.
Monitoring Recommendations
- Enable a Web Application Firewall (WAF) ruleset that blocks script tags and event-handler attributes inside shortcode parameters.
- Alert on creation or modification of WordPress administrator accounts that originate from sessions initiated immediately after rendering content with put_wpgm.
- Monitor plugin version drift across managed WordPress fleets to identify hosts still running WP Maps 4.8.7 or earlier.
How to Mitigate CVE-2025-13364
Immediate Actions Required
- Update the WP Maps plugin to version 4.8.8 or later on all WordPress instances.
- Audit existing posts and pages for malicious put_wpgm shortcode attributes and remove or sanitize any suspicious content.
- Rotate session tokens and require password resets for administrator accounts that may have rendered tainted pages.
Patch Information
The vendor released a fix in version 4.8.8. The remediation adds sanitization and output escaping to the put_wpgm shortcode handler. Review the WordPress Plugin Change Log for the exact code changes between 4.8.7 and 4.8.8.
Workarounds
- Restrict contributor-and-above publishing capabilities until the plugin is patched, or temporarily deactivate the WP Maps plugin.
- Apply a virtual patch through a WAF that strips HTML control characters from shortcode attribute values.
- Enforce a strict Content Security Policy (CSP) that disallows inline script execution on WordPress front-end pages.
# Update WP Maps via WP-CLI on affected hosts
wp plugin update wp-google-map-plugin --version=4.8.8
wp plugin list --name=wp-google-map-plugin --fields=name,status,version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
