Daniel Compton of BSI Cybersecurity and Information Resilience (formerly Info-Assure Ltd) discovered a high risk security vulnerability within the Maps Pro WordPress plugin.
As part of our responsible disclosure program, we will not release any information until the vendor has patched the vulnerability. Once the vulnerability has been patched we will not disclose the exact details or exploitation methods for the vulnerability for 3 months. This gives all users of the product sufficient time to ensure they have updated their products and are protected against the issue.
Vulnerability type: Stored cross-site scripting
Vulnerable product version: Maps Pro 1.0.0
Fixed product version: Maps Pro 1.0.1
Vendor Patch Release: http://themify.me/changelogs/builder-maps-pro.txt
Vendor fixed: 12/01/2015
Partial disclosure: 14/01/2015
Full disclosure: tba.