CVE-2025-32661: Interactive US Map CSRF Vulnerability

CVE-2025-32661 Overview

CVE-2025-32661 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP Map Plugins Interactive US Map WordPress plugin (interactive-us-map). The flaw allows attackers to chain CSRF with Stored Cross-Site Scripting (XSS), enabling persistent script injection into plugin-managed content. The vulnerability affects all versions up to and including 2.7. Successful exploitation requires an authenticated administrator to interact with an attacker-controlled page. Once triggered, the injected payload executes in the browser context of any user who later views the affected page, allowing session hijacking, privilege actions, or backend compromise.

Critical Impact

An unauthenticated attacker can trick a logged-in administrator into submitting a forged request that stores arbitrary JavaScript in WordPress, leading to persistent XSS execution against site visitors and admins.

Affected Products

• WP Map Plugins Interactive US Map (interactive-us-map) plugin for WordPress
• All versions from n/a through 2.7
• WordPress sites with the vulnerable plugin installed and active

Discovery Timeline

• 2025-04-09 - CVE-2025-32661 published to NVD
• 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-32661

Vulnerability Analysis

The vulnerability stems from missing CSRF protections on plugin endpoints that accept administrative input. The plugin fails to validate WordPress nonces or verify the origin of state-changing requests. This omission maps to [CWE-352] Cross-Site Request Forgery.

Because the affected endpoint also fails to sanitize or encode user-supplied input before persisting it to the database, an attacker can inject HTML and JavaScript that is later rendered without escaping. The combination produces a CSRF-to-Stored-XSS chain. The injected payload persists across sessions and executes whenever the affected map content is rendered in a browser.

Root Cause

The plugin does not call wp_verify_nonce() or check_admin_referer() on form submissions that update map configuration data. Input fields containing map labels, descriptions, or markup are stored verbatim and echoed without esc_html() or wp_kses() filtering. The dual failure of request authentication and output encoding produces the chained vulnerability.

Attack Vector

The attack requires user interaction from an authenticated administrator. An attacker hosts a malicious page containing a hidden form or fetch() request that targets the plugin's settings endpoint on the victim's WordPress site. When the administrator visits the attacker page while logged into WordPress, the browser submits the forged request with valid session cookies. The plugin accepts and stores the malicious payload.

The stored payload then executes in any browser that loads the page containing the affected map widget, including site visitors and other administrators viewing the WordPress dashboard preview.

The vulnerability is exploitable over the network without authentication on the attacker side. See the Patchstack Vulnerability Report for additional technical details.

Detection Methods for CVE-2025-32661

Indicators of Compromise

• Unexpected <script> tags, event handlers (onerror, onload), or obfuscated JavaScript stored in plugin tables or wp_options entries related to interactive-us-map.
• New or modified administrator accounts created shortly after an admin viewed an external link.
• Outbound requests from visitor browsers to unfamiliar domains when rendering pages that embed the US Map widget.

Detection Strategies

• Audit plugin database entries and post content for HTML and JavaScript markup that should not appear in map labels or descriptions.
• Inspect web server access logs for POST requests to plugin admin endpoints that lack a valid Referer header pointing to the WordPress admin.
• Review browser Content Security Policy (CSP) violation reports for inline script execution on pages that embed the map.

Monitoring Recommendations

• Enable WordPress audit logging to track plugin setting changes and the originating user, IP, and referer.
• Monitor for anomalous administrative actions following off-site navigation events.
• Alert on creation of admin users, plugin installation, or theme edits that occur in close succession to map-plugin configuration updates.

How to Mitigate CVE-2025-32661

Immediate Actions Required

• Identify all WordPress installations running the interactive-us-map plugin and confirm the installed version.
• Deactivate the plugin on any site running version 2.7 or earlier until a patched release is verified.
• Force-reset administrator sessions and rotate credentials if compromise is suspected.
• Review plugin configuration data for injected scripts and restore from a known-good backup if needed.

Patch Information

At the time of publication, the advisory references versions through 2.7 as affected with no fixed version explicitly listed in the NVD record. Consult the Patchstack Vulnerability Report and the WordPress plugin repository for the latest vendor update. Apply any vendor-released patch immediately upon availability.

Workarounds

• Remove or deactivate the plugin until a patched version is published.
• Deploy a Web Application Firewall (WAF) rule to block POST requests to plugin endpoints that lack a valid same-origin Referer and WordPress nonce.
• Apply a strict Content Security Policy that disallows inline scripts on public pages embedding the map widget.
• Restrict WordPress administrator browsing habits and require dedicated browsers or sessions for administrative work.

# Example WAF rule snippet (ModSecurity) to block cross-origin POSTs to plugin endpoints
SecRule REQUEST_METHOD "@streq POST" \
  "id:1003266,phase:1,deny,status:403,\
   chain,msg:'Block cross-origin POST to interactive-us-map'"
  SecRule REQUEST_URI "@contains /wp-admin/admin.php" \
    "chain"
    SecRule ARGS:page "@beginsWith interactive-us-map" \
      "chain"
      SecRule REQUEST_HEADERS:Referer "!@beginsWith https://your-site.example/wp-admin/"