The vulnerability is an improper neutralization of user input that allows reflected cross‑site scripting in the Mapbox for WP Advanced plugin. By injecting malicious script payloads into crafted requests, an attacker can execute arbitrary JavaScript in the browser of any visitor to the site, leading to credential theft, session hijacking, or defacement. The impact is on confidentiality, integrity, and availability of user accounts and site content.

The affected product is the WordPress Mapbox for WP Advanced plugin developed by stephanemartinw. Versions from the initial release up to and including 1.0.0 are susceptible. The vulnerability is present in any WordPress installation that has this plugin and has not yet been updated to a newer release.

The CVSS score of 7.1 indicates high severity. The EPSS score of less than 1% suggests a low likelihood of widespread exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack vector, inferred from the description, is a reflected XSS that can be triggered by an attacker sending a crafted URL or form input to the plugin’s exposed endpoints. Acceptance of arbitrary user input without proper sanitization allows the payload to be reflected back in the HTTP response, executing in the victim’s browser. No authentication or administrative privileges are required to exploit this flaw, so the risk is accessible to any attacker able to target a website using the vulnerable plugin.