Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpsiteeditor Site Editor Google Map site-editor-google-map allows Reflected XSS.This issue affects Site Editor Google Map: from n/a through <= 1.0.1.
Published: 2025-03-26
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Site Editor Google Map plugin contains an improper input neutralization flaw that permits reflected cross‑site scripting. By embedding malicious JavaScript in a URL, an attacker can cause the script to run in the browser context of any user who opens the link. The script runs with the privileges of the page, allowing session hijacking, defacement, or extraction of sensitive data.

Affected Systems

The plugin vendor is wpsiteeditor, product Site Editor Google Map. All releases up to and including version 1.0.1 are affected. Sites that have installed the plugin in this range are vulnerable; no specific WordPress core version is mentioned, so any WordPress installation using the plugin is at risk.

Risk and Exploitability

The CVSS score of 7.1 marks the flaw as high severity. The EPSS score of less than 1% suggests that real‑world exploitation is currently rare, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers would need to entice a user to click a crafted URL, a common method for reflected XSS, and the flaw does not depend on stored data or authentication.

Generated by OpenCVE AI on May 2, 2026 at 08:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Site Editor Google Map to version 1.0.2 or later, if available, to eliminate the XSS flaw
  • If an upgrade is not immediately possible, temporarily deactivate or uninstall the plugin to prevent reflected script execution
  • Implement a site‑wide Content Security Policy that blocks inline scripts and limits script sources, mitigating the impact of any remaining reflected XSS attempts

Generated by OpenCVE AI on May 2, 2026 at 08:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8197 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpsiteeditor Site Editor Google Map allows Reflected XSS. This issue affects Site Editor Google Map: from n/a through 1.0.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpsiteeditor Site Editor Google Map allows Reflected XSS. This issue affects Site Editor Google Map: from n/a through 1.0.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpsiteeditor Site Editor Google Map site-editor-google-map allows Reflected XSS.This issue affects Site Editor Google Map: from n/a through <= 1.0.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 26 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 26 Mar 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpsiteeditor Site Editor Google Map allows Reflected XSS. This issue affects Site Editor Google Map: from n/a through 1.0.1.
Title WordPress Site Editor Google Map plugin <= 1.0.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:55:23.881Z

Reserved: 2025-01-16T11:25:03.613Z

Link: CVE-2025-23466

cve-icon Vulnrichment

Updated: 2025-03-26T15:47:44.981Z

cve-icon NVD

Status : Deferred

Published: 2025-03-26T15:15:54.100

Modified: 2026-06-17T08:54:35.747

Link: CVE-2025-23466

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T09:00:11Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')