Quick virtual patch (WordPress-level) — short PHP plugin to sanitize content before output

The following mu-plugin can sanitize YaMaps shortcode attributes at render time. Place it in wp-content/mu-plugins/. Test on staging first.

<?php
/**
 * mu-plugin: sanitize yamaps shortcode attributes on output
 * Temporary mitigation for stored XSS in YaMaps <= 0.6.40
 */

add_filter( 'the_content', 'hk_sanitize_yamaps_shortcode_attributes', 20 );

function hk_sanitize_yamaps_shortcode_attributes( $content ) {
    if ( false === strpos( $content, '[yamaps' ) ) {
        return $content;
    }

    $content = preg_replace_callback(
        '/\[yamaps\b([^\]]*)\]/i',
        function( $matches ) {
            $attrs = $matches[1];

            // Remove script tags
            $attrs = preg_replace( '#<\s*script\b[^>]*>(.*?)<\s*/\s*script\s*>#is', '', $attrs );

            // Remove any on* event attributes: onload=, onclick=, etc.
            $attrs = preg_replace( '/\bon[a-z]+\s*=\s*(["\']?).*?\1/iu', '', $attrs );

            // Remove javascript: pseudo-protocol in attributes
            $attrs = preg_replace( '/javascript\s*:/iu', '', $attrs );

            return '[yamaps' . $attrs . ']';
        },
        $content
    );

    return $content;
}

Caveats:

• This is a temporary mitigation that attempts to neutralize stored payloads at render time.
• It may alter legitimate attributes containing unusual characters.
• Always test on staging and ensure backups exist before applying to production.

Recommended code-level fixes for plugin developers (how the patch should look)

Developers must treat shortcode attributes as untrusted input. Fixes include:

• Sanitize input using sanitize_text_field for text, intval for integers, esc_url_raw for URLs.
• Escape on output using esc_attr, esc_html, or esc_js depending on context.
• If HTML is allowed, use wp_kses with an explicit whitelist.
• Use shortcode_atts_{$shortcode} filters to normalize and sanitize attributes.

Example safe attribute handling:

function yamaps_shortcode( $atts ) {
    $defaults = array(
        'title' => '',
        'address' => '',
        'zoom' => 10,
        'marker' => ''
    );

    $atts = shortcode_atts( $defaults, $atts, 'yamaps' );

    // Sanitize inputs
    $title   = sanitize_text_field( $atts['title'] );
    $address = sanitize_text_field( $atts['address'] );
    $zoom    = intval( $atts['zoom'] );
    $marker  = esc_url_raw( $atts['marker'] );

    // Escape for output
    $out = '<div class="yamaps" data-title="' . esc_attr( $title ) . '" data-address="' . esc_attr( $address ) . '" data-zoom="' . esc_attr( $zoom ) . '">';
    // ...
    $out .= '</div>';

    return $out;
}
add_shortcode( 'yamaps', 'yamaps_shortcode' );

Avoid eval, inline JS generation without escaping, and dangerously concatenated attributes.

Additional site hardening recommendations

• Principle of least privilege: reduce Contributor accounts and remove unnecessary capabilities.
• Require two-stage content approval: Editors or Admins should review Contributor content before publishing.
• Disable unneeded shortcodes: call remove_shortcode('yamaps') or uninstall the plugin if unused.
• Enable a strict CSP that disallows inline scripts and restricts script sources where practical.
• Use HTTP security headers: Secure/HttpOnly for cookies, SameSite, X-Content-Type-Options, and a sensible Referrer-Policy.
• Monitor filesystem and database changes for injected content or unexpected admin user creation.
• Use version control and reliable backups for plugin/theme files to detect unauthorized changes quickly.

If you think your site has been compromised — incident checklist

1. Take a snapshot/backup of the affected site (preserve logs and database) for forensics.
2. Place the site in maintenance mode if needed.
3. Rotate all admin and editor credentials; force password resets.
4. Review and delete suspicious posts/pages and revert to clean backups if possible.
5. Scan for web shells or backdoor files (especially in wp-content/uploads and wp-includes).
6. Check for new admin users and suspicious plugins/themes.
7. Review access logs, WP activity logs, and plugin logs.
8. Reinstall plugins/themes from trusted sources and update to the latest versions.
9. Harden the site and deploy WAF rules to stop further abuse.
10. Engage a professional WordPress incident-response team or security service if needed.

Practical search & cleanup queries

• Find posts containing YaMaps shortcodes:

  SELECT ID, post_title, post_author, post_modified FROM wp_posts WHERE post_content LIKE '%[yamaps%';

• Identify posts modified recently by contributors:

  SELECT p.ID, p.post_title, u.user_login FROM wp_posts p JOIN wp_users u ON p.post_author = u.ID WHERE u.user_level <= 2 AND p.post_modified > '2026-01-01';

• Grep for suspicious code in uploads and theme files:

  grep -R --exclude-dir=cache -i "eval(" wp-content/
  grep -R --exclude-dir=cache -i "base64_decode" wp-content/

Communication & disclosure best practices for site owners

• Keep a clear timeline of discovery, containment, and remediation actions.
• If personal data may have been exposed, consult applicable data protection rules (e.g., GDPR) to determine reporting obligations.
• Inform your editorial team and require additional review of Contributor-authored posts until the issue is resolved.

Timeline (public disclosure & fix)

• Vulnerability published: 2026-02-19
• CVE assigned: CVE-2025-14851
• Fixed in YaMaps version: 0.6.41

Prioritise patching by exposure (sites with many public editors or high traffic first).

Appendix A — More WAF rules and detection patterns

Examples for detection and logging-only modes; test on staging.

# Detect event handler attributes in POST bodies to wp-admin endpoints
SecRule REQUEST_METHOD "POST" "chain,phase:2,id:1000021,log,pass,msg:'yamaps possible event handler in attributes'"
  SecRule REQUEST_URI "@rx /wp-admin/(post.php|post-new.php|post-edit.php)" "chain"
  SecRule ARGS_POST "@rx \[yamaps[^\]]*\bon[a-z]+\s*=([^>]+)" "t:none,t:urlDecode,t:lowercase"

# Block saved content containing <script> or suspicious encoded variants
SecRule REQUEST_BODY "@rx (\[yamaps[^\]]*<\s*script\b|\[yamaps[^\]]*%3Cscript%3E)" "phase:2,deny,id:1000022,log,msg:'yamaps saved script tag attempt'"

For logging-only, replace deny with pass,log to collect data before blocking.

Appendix B — Sample review checklist for content moderation teams

• Require Editor-level review for Contributor posts that include shortcodes.
• Scan shortcode attributes for angle brackets, on*= attributes, javascript: protocols, and encoded script tags.
• Validate attachments and uploaded media; ensure no PHP files exist in the uploads folder.

Final notes — a layered strategy works

This YaMaps stored XSS is a reminder: plugins are powerful and must be built defensively. A layered approach gives the best protection:

1. Keep plugins up to date — apply vendor patches immediately.
2. Limit write privileges in editorial workflows.
3. Deploy targeted WAF rules or virtual patches to reduce exploitation during the patch window.
4. Sanitize and escape output in plugin code.
5. Harden configuration (CSP, secure cookies, monitoring).

If you need assistance implementing WAF rules, sanitisation measures, or conducting a post‑incident review, engage a qualified WordPress security professional or incident-response team.

Stay vigilant and patch promptly.

— Hong Kong Security Expert