Platform
wordpress
Component
slick-google-map
Fixed in
0.3.1
CVE-2025-48078 describes a Cross-Site Request Forgery (CSRF) vulnerability leading to Stored XSS within the Slick Google Map WordPress plugin. This allows attackers to inject malicious scripts into the plugin, potentially compromising user accounts and website functionality. The vulnerability affects versions from 0.0.0 through 0.3, and a fix is available in version 0.3.1.
Successful exploitation of CVE-2025-48078 allows an attacker to inject arbitrary JavaScript code into the Slick Google Map plugin. This code can then be triggered when other users interact with the affected plugin, leading to a range of malicious actions. Attackers could steal user cookies, redirect users to phishing sites, deface the website, or even gain control of the WordPress admin account if the user has sufficient privileges. The impact is particularly severe because the CSRF aspect allows attackers to perform these actions without direct user interaction, making it a silent and potentially widespread threat.
CVE-2025-48078 was publicly disclosed on 2025-11-06. While no public proof-of-concept (PoC) code has been released, the combination of CSRF and Stored XSS makes this vulnerability highly exploitable. The EPSS score is likely to be medium, indicating a moderate probability of exploitation given the ease of exploitation and potential impact. Monitor WordPress plugin directories and security forums for any signs of active exploitation.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-48078 is to immediately upgrade the Slick Google Map plugin to version 0.3.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing CSRF protection measures on the plugin's input fields. This could involve adding CSRF tokens to all forms and validating them on the server-side. While not a complete solution, this can significantly reduce the attack surface. Regularly review WordPress plugin configurations and ensure that only trusted plugins are installed.
Update the Slick Google Map plugin to a patched version. Refer to the plugin's release notes or the developer's website for information on available updates and how to install them. Ensure you back up your website before updating any plugin.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-48078 is a Cross-Site Scripting (XSS) vulnerability in the Slick Google Map WordPress plugin, allowing attackers to inject malicious scripts via CSRF.
You are affected if you are using Slick Google Map versions 0.0.0 through 0.3. Check your plugin version and upgrade immediately if vulnerable.
Upgrade the Slick Google Map plugin to version 0.3.1 or later to resolve the vulnerability. Consider CSRF protection as a temporary workaround if upgrading is not possible.
While no active exploitation has been confirmed, the vulnerability is highly exploitable and should be patched immediately.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.