Overview
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Shortcode for Google Street View plugin for WordPress. This vulnerability, tracked as CVE-2025-11808, affects all versions up to and including 0.5.7. It allows authenticated attackers with contributor-level access or higher to inject malicious JavaScript code into WordPress pages. This code will then execute whenever a user visits the affected page, potentially leading to account compromise or other malicious activities.
Technical Details
The vulnerability stems from insufficient input sanitization and output escaping within the ‘streetview’ shortcode. Specifically, the ‘id’ attribute is not properly sanitized before being rendered in the page’s HTML. This allows an attacker to inject arbitrary HTML, including <script> tags, into the ‘id’ attribute.
Example vulnerable shortcode usage:
[streetview id="<script>alert('XSS Vulnerability!');</script>"]
The code snippet below (from gsv-shortcode.php, line 108) demonstrates the lack of proper sanitization:
// Simplified example showing the lack of sanitization
$id = $atts['id']; // Vulnerable line - no sanitization
$output = '<div id="' . $id . '"></div>';
CVSS Analysis
- CVE ID: CVE-2025-11808
- Severity: MEDIUM
- CVSS Score: 6.4
A CVSS score of 6.4 indicates a Medium severity vulnerability. This is because while authentication is required, the impact is significant due to the potential for account compromise and malicious code execution.
Possible Impact
Successful exploitation of this vulnerability could lead to:
- Account Compromise: An attacker could steal administrator cookies and gain full control of the WordPress site.
- Malware Distribution: Malicious code could redirect users to phishing sites or install malware on their machines.
- Defacement: The attacker could modify the content of the website, defacing it or spreading misinformation.
- Data Theft: Sensitive information could be stolen from users interacting with the compromised pages.
Mitigation and Patch Steps
To mitigate this vulnerability, it is strongly recommended that you take the following steps:
- Update the Plugin: Upgrade to a version of the Shortcode for Google Street View plugin that addresses this vulnerability. If a patched version is not available, consider temporarily disabling the plugin.
- Web Application Firewall (WAF): Implement a Web Application Firewall (WAF) with rules to detect and block XSS attacks targeting the ‘streetview’ shortcode.
- Input Sanitization and Output Escaping: If you maintain the plugin or a similar plugin, ensure all user-supplied input is properly sanitized and output is correctly escaped to prevent XSS vulnerabilities. Use WordPress functions like
esc_attr()for escaping attributes.
