CVE-2025-6572 in OpenStreetMap for Gutenberg and WPBakery Page Builder Plugin
Summary
by MITRE • 08/08/2025
The OpenStreetMap for Gutenberg and WPBakery Page Builder (formerly Visual Composer) WordPress plugin through 1.2.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/08/2025
The vulnerability identified as CVE-2025-6572 affects the OpenStreetMap plugin for WordPress, specifically versions through 1.2.0, which is utilized in conjunction with Gutenberg and WPBakery Page Builder. This security flaw resides within the plugin's handling of block options and represents a critical oversight in input validation and output escaping mechanisms. The vulnerability impacts users who possess the contributor role or higher privileges within the WordPress environment, creating a significant attack surface for malicious actors who can leverage this weakness to execute stored cross-site scripting attacks.
The technical implementation of this vulnerability stems from insufficient sanitization of user-provided data within the plugin's block option processing. When administrators or contributors create or modify content using the OpenStreetMap blocks, the plugin fails to properly validate and escape certain parameters before these values are stored and subsequently rendered back to users viewing the content. This lack of proper input sanitization creates a persistent XSS vector where malicious scripts can be injected into the block options and then executed whenever the affected page or post is loaded. The vulnerability specifically targets the plugin's handling of block configuration data that gets embedded into the WordPress post content, making it particularly dangerous as it can affect any user who views pages containing compromised blocks.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to perform a range of malicious activities through the compromised WordPress environment. Contributors and above can inject persistent scripts that can steal session cookies, redirect users to malicious sites, deface content, or even execute arbitrary commands on the victim's browser. The stored nature of this XSS means that the malicious code persists in the database and affects all users who view the compromised content, making it particularly dangerous for public-facing WordPress sites with multiple contributors. This vulnerability undermines the security model of WordPress by allowing users with relatively low privileges to escalate their attack capabilities and potentially compromise the entire site.
Mitigation strategies for CVE-2025-6572 should prioritize immediate patching of the affected plugin to version 1.2.1 or later, which contains the necessary validation and escaping fixes. Administrators should also implement additional security measures such as restricting contributor privileges to limit the scope of potential attacks, implementing content security policies to prevent script execution, and monitoring user activity for suspicious block modifications. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and the attack vector can be mapped to ATT&CK technique T1566.001 which involves phishing with malicious attachments or links. Organizations should also consider implementing web application firewalls to detect and block suspicious script injections, while conducting thorough security audits of all installed plugins to identify similar validation weaknesses that could create comparable attack vectors.