Plattform
wordpress
Komponente
slick-google-map
Behoben in
0.3.1
CVE-2025-48078 describes a Cross-Site Request Forgery (CSRF) vulnerability leading to Stored XSS within the Slick Google Map WordPress plugin. This allows attackers to inject malicious scripts into the plugin, potentially compromising user accounts and website functionality. The vulnerability affects versions from 0.0.0 through 0.3, and a fix is available in version 0.3.1.
An attacker can leverage this vulnerability to inject arbitrary JavaScript code into the Slick Google Map plugin. Due to the CSRF nature, an attacker could potentially trigger this injection without direct user interaction, simply by tricking a user into visiting a malicious page. Successful exploitation could lead to session hijacking, redirection to phishing sites, or the theft of sensitive data entered on the compromised website. The impact is amplified if the website handles sensitive user information or is used for financial transactions, as attackers could steal credentials or manipulate data.
This vulnerability was publicly disclosed on 2025-11-06. Currently, there are no known public proof-of-concept exploits available. The CVSS score of 7.1 (HIGH) indicates a significant risk. It is not listed on the CISA KEV catalog at the time of writing.
Websites using the Slick Google Map plugin, particularly those with user authentication or sensitive data displayed through the plugin, are at risk. Shared hosting environments where plugin updates are managed centrally are also at increased risk, as a single compromised plugin can affect multiple websites.
• wordpress / composer / npm:
grep -r 'slick-google-map' /var/www/html/wp-content/plugins/
wp plugin list | grep 'slick-google-map'• generic web:
curl -I https://example.com/wp-content/plugins/slick-google-map/ | grep 'X-Frame-Options'disclosure
Exploit-Status
EPSS
0.02% (4% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade the Slick Google Map plugin to version 0.3.1 or later. If upgrading is not feasible due to compatibility issues or breaking changes, consider implementing CSRF protection measures on the plugin's input fields. This could involve adding CSRF tokens to all POST requests or using a WordPress security plugin that provides CSRF protection. Monitor website access logs for suspicious requests originating from unfamiliar IP addresses or user agents, looking for patterns indicative of CSRF attacks. After upgrading, verify the fix by attempting to inject a simple JavaScript payload through the plugin’s input fields and confirming that it is properly sanitized.
Aktualisieren Sie das Slick Google Map Plugin auf eine korrigierte Version. Wenden Sie sich an die Versionshinweise des Plugins oder die Website des Entwicklers, um weitere Informationen zu verfügbaren Updates und deren Installation zu erhalten. Stellen Sie sicher, dass Sie eine Sicherungskopie Ihrer Website erstellen, bevor Sie Plugins aktualisieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-48078 is a Cross-Site Scripting (XSS) vulnerability in the Slick Google Map WordPress plugin, allowing attackers to inject malicious scripts via CSRF.
You are affected if you are using Slick Google Map versions 0.0.0 through 0.3. Check your plugin version and upgrade immediately if vulnerable.
Upgrade the Slick Google Map plugin to version 0.3.1 or later to resolve the vulnerability. Consider CSRF protection as a temporary workaround if upgrading is not possible.
While no active exploitation has been confirmed, the vulnerability is highly exploitable and should be patched immediately.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.