Attack Vectors

CVE-2025-14851 affects the YaMaps for WordPress plugin (slug: yamaps) in versions up to and including 0.6.40, and is rated Medium severity (CVSS 6.4). The issue is a stored cross-site scripting (XSS) vulnerability that can be triggered through the yamap shortcode parameters.

The practical risk is internal: an authenticated WordPress user with at least Contributor access can inject malicious script content into a page or post where the shortcode is used. Because it is “stored,” the script can run later for anyone who views the affected page—without requiring that visitor to click anything.

Security Weakness

The root cause is insufficient input sanitization and output escaping for user-supplied shortcode attributes in YaMaps for WordPress <= 0.6.40. In business terms, the plugin does not adequately validate or safely display certain shortcode parameters before rendering them on the site.

This weakness matters because WordPress shortcodes are often used in marketing pages and landing pages—high-traffic areas where a single injected page can expose many visitors, customers, and employees to a malicious script.

Technical or Business Impacts

Stored XSS can lead to brand and revenue damage even when the vulnerability is “only” Medium severity. If exploited, an attacker could alter how a page behaves for visitors, potentially capturing form entries, redirecting users, displaying unauthorized content, or interfering with analytics and conversion tracking.

For leadership and compliance teams, the key impacts include reputational harm (customers seeing suspicious behavior on your site), increased incident response costs, and potential compliance exposure if user data is mishandled during an attack. Marketing teams may also see campaign performance disrupted if scripts manipulate landing page content, tags, or attribution signals.

Recommended action: update YaMaps for WordPress to version 0.6.41 or newer (patched). Track this as a time-sensitive maintenance item because the required attacker privilege (Contributor+) is commonly granted to content creators, agencies, or vendors.

Similar Attacks

Stored XSS vulnerabilities in WordPress ecosystems are frequently abused because they can persist on high-visibility pages. For reference, here are a few well-known examples of cross-site scripting issues (not specific to YaMaps) that illustrate the broader pattern:

CISA Alert: WordPress Elementor Pro Vulnerable to Authenticated Reflected XSS (2022)

CVE-2018-6389: WordPress Core DoS issue (often discussed alongside WordPress hardening and web attack risk)

Wordfence blog: Ongoing reporting on WordPress plugin XSS and related exploitation trends