Skip to main content

Slick Google Map CVE-2025-48078

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-11-06 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Analysis Updated
Apr 24, 2026 - 01:04 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:43 NVD
8.8 (HIGH) 7.1 (HIGH)
Analysis Generated
Mar 28, 2026 - 19:20 vuln.today
CVE Published
Nov 06, 2025 - 16:15 nvd
HIGH 8.8

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Norbert Slick Google Map slick-google-map allows Stored XSS.This issue affects Slick Google Map: from n/a through <= 0.3.

AnalysisAI

Cross-Site Request Forgery in the Slick Google Map WordPress plugin version 0.3 and earlier enables stored XSS attacks. An attacker can trick authenticated WordPress administrators into executing malicious requests that inject persistent JavaScript into the site, achieving cross-site scripting with changed scope impact. EPSS exploitation probability is low (0.02%, 4th percentile), and no public exploit or active exploitation has been identified at time of analysis.

Technical ContextAI

This vulnerability combines CWE-352 (Cross-Site Request Forgery) as the initial attack vector with stored XSS as the ultimate payload. The Slick Google Map WordPress plugin lacks CSRF protection tokens on administrative functions that accept user-controlled input for Google Map configuration or settings. When an authenticated administrator is tricked into visiting a malicious page or clicking a crafted link, their browser automatically sends authenticated requests to the vulnerable plugin endpoints. These forged requests inject malicious JavaScript that persists in the database and executes in victims' browsers when viewing affected pages. The CVSS scope change (S:C) indicates the injected script executes in a different security context than the vulnerable plugin itself, allowing DOM-based attacks against site visitors beyond the WordPress admin interface.

Affected ProductsAI

The vulnerability affects the Slick Google Map WordPress plugin developed by Norbert, specifically all versions through 0.3 and earlier. According to Patchstack database records, this includes version 0.3 as the latest confirmed vulnerable release. The plugin identifier on WordPress.org is 'slick-google-map'. No CPE string was provided in the available data, but the affected product can be identified as WordPress installations with the Slick Google Map plugin installed and activated, regardless of WordPress core version. Users should verify their installed plugin version through the WordPress admin dashboard under Plugins.

RemediationAI

Update the Slick Google Map plugin to a version newer than 0.3 if available. Check the WordPress.org plugin repository or the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/slick-google-map/vulnerability/wordpress-slick-google-map-plugin-0-3-cross-site-request-forgery-csrf-to-stored-xss-vulnerability for the specific patched version number. If no updated version is available, implement the following compensating controls: disable the Slick Google Map plugin entirely if not business-critical, as no patch version is confirmed in the available data. Restrict WordPress admin access to trusted IP addresses via .htaccess or firewall rules to prevent CSRF exploitation from external networks. Implement Content Security Policy headers that restrict script-src to same-origin and trusted CDNs, which limits stored XSS payload execution though does not prevent injection itself. Train administrators to never click external links or visit untrusted websites while logged into WordPress admin panels. Consider replacing with actively maintained alternatives like WP Google Maps or MapPress. Note that CSP may break legitimate plugin functionality if maps rely on inline scripts.

Share

CVE-2025-48078 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy