The Extensions for Leaflet Map plugin for WordPress contains a stored Cross‑Site Scripting flaw in the geojsonmarker shortcode. The plugin fails to sanitize and escape user‑supplied attributes, allowing an authenticated user with Contributor or higher privileges to inject arbitrary JavaScript. When a victim loads a page containing the malicious shortcode, the script runs in the victim's browser, potentially hijacking sessions, defacing content, or performing other client‑side attacks.

WordPress sites that have installed the Extensions for Leaflet Map plugin version 4.7 or earlier are affected. The vulnerability exists in every release up to and including 4.7, regardless of the installed WordPress version. Site administrators must verify whether the plugin is present on their instances.

The flaw carries a CVSS score of 6.4, indicating moderate severity, while the EPSS score of less than 1 % suggests that the likelihood of exploitation in the wild is currently low. The vulnerability is not listed in the CISA KEV catalog, implying no publicly confirmed exploits at this time. Attackers need only Contributor‑level access to inject payloads via the geojsonmarker shortcode, which then execute automatically for any user who views the affected page. Because the vectors are stored and user‑role dependent, the attack is feasible in a typical content‑management environment where contributors are allowed to edit posts.