The MapMap plugin for WordPress contains a vulnerable Cross‑Site Request Forgery flaw (CWE‑352) that allows unauthenticated attackers to forge requests to the plugin's admin endpoints. By bypassing nonce checks on the admin_shortcode_submit, admin_configuration_submit, and admin_shortcode_delete functions, an attacker can modify the plugin’s settings and inject arbitrary scripts that are stored in the database, leading to stored cross‑site scripting. This flaw can result in arbitrary configuration changes and the execution of malicious code within the context of authorized administrators, significantly compromising both confidentiality and integrity.

All installations of the WordPress MapMap plugin version 1.1 and earlier, including the default “sugiartha:MapMap” plugin, are affected. Any WordPress site that currently runs these versions and has the plugin activated, especially where administrators have not applied mitigations, is vulnerable.

With a CVSS score of 6.1 this vulnerability is classified as moderate severity and is considered exploitable whenever an administrator can be persuaded to click a malicious link or submit a forged form. The EPSS score of less than 1% indicates a low probability of widespread exploitation, but the flaw remains uncovered in the CISA KEV catalog. Attackers would need to conduct social engineering against an admin, as the flaw is unauthenticated but requires the target to be logged in. Once exploited, the attacker can change plugin settings and inject stored scripts that run under the administrator context, potentially giving full control over the site’s front‑end.