Stored Cross-Site Scripting Vulnerability in LS Google Map Router Plugin for WordPress
CVE-2025-13850

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Ls Google Map Router
Vendor: CVE Published:; 12 December 2025

What is CVE-2025-13850?

The LS Google Map Router plugin for WordPress is susceptible to Stored Cross-Site Scripting (XSS) via the 'map_type' parameter across all versions prior to 1.1.0. Insufficient input sanitization and output escaping allow authenticated users, with Contributor-level access or higher, to insert harmful web scripts. These scripts will execute whenever a page containing the injected code is accessed, posing significant risks to site security and user data integrity. This vulnerability highlights the importance of proper validation and sanitation of user inputs to prevent such attacks.

Affected Version(s)

LS Google Map Router * <= 1.1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/ls-gmap-route/...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 12, 2025
Vulnerability Reserved
Dec 1, 2025

Credit

Gilang Asra Bilhadi

JSON