Description
The MapGeo – Interactive Geo Maps plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'map' parameter in the display-map shortcode in all versions up to, and including, 1.6.27 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2026-05-14
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The MapGeo plugin contains a reflected XSS flaw that allows an attacker to inject script code via the 'map' parameter of its shortcode. Because the plugin fails to sanitize user input or escape output, a crafted URL can be embedded in a page that a victim visits. When the victim triggers the page, the malicious script runs in the victim’s browser, potentially compromising user credentials, session cookies, or enabling phishing attacks.

Affected Systems

All installations of the Interactive Geo Maps WordPress plugin with version 1.6.27 or earlier are affected. The flaw exists in every release up to and including 1.6.27. Users running an earlier or newer version are not vulnerable.

Risk and Exploitability

The CVSS score of 6.1 indicates medium severity, and the exploit is trivial to launch because it requires only a crafted URL and does not need authentication. Although EPSS data is unavailable and the vulnerability is not listed in CISA KEV, the possibility of widespread exposure remains because the plug‑in can be present on many WordPress sites. The likely attack vector is a reflected input via the map parameter in a publicly accessible shortcode.

Generated by OpenCVE AI on May 14, 2026 at 07:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Interactive Geo Maps plugin to version 1.6.28 or later.
  • As an interim workaround, remove or block the display‑map shortcode from pages, or apply output sanitization to the 'map' parameter to escape any user‑supplied content.
  • Deploy a site‑wide web‑application firewall or security plugin that blocks reflected XSS payloads and hardens the input vectors associated with the plugin.

Generated by OpenCVE AI on May 14, 2026 at 07:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Interactive Geo Maps Project
Interactive Geo Maps Project interactive Geo Maps
Wordpress
Wordpress wordpress
Vendors & Products Interactive Geo Maps Project
Interactive Geo Maps Project interactive Geo Maps
Wordpress
Wordpress wordpress

Thu, 14 May 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description The MapGeo – Interactive Geo Maps plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'map' parameter in the display-map shortcode in all versions up to, and including, 1.6.27 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title MapGeo - Interactive Geo Maps <= 1.6.27 - Reflected Cross-Site Scripting via 'map' Parameter
Weaknesses CWE-80
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Interactive Geo Maps Project Interactive Geo Maps
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-14T10:46:04.377Z

Reserved: 2025-12-29T23:21:35.778Z

Link: CVE-2025-15345

cve-icon Vulnrichment

Updated: 2026-05-14T10:45:59.392Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T06:16:21.027

Modified: 2026-05-14T14:29:01.600

Link: CVE-2025-15345

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T13:45:18Z

Weaknesses
  • CWE-80

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)