This defect is an improper neutralization of input during web page generation that allows an attacker to inject malicious script code into the output of a WordPress site running the mrsaucier GoogleMapper plugin. The flaw enables reflected XSS, meaning an attacker can craft a URL containing malicious payloads that will be executed in the victim’s browser when they click the link or otherwise load the page. The associated weakness is CWE‑79, which indicates that the input was not properly sanitized or encoded before being included in the rendered page. The potential consequences are session hijacking, credential theft, phishing, and malicious content injection, all of which affect the confidentiality, integrity, and availability of the site and its users.

All installations of the GoogleMapper WordPress plugin version 2.0.3 and older. The plugin, distributed by mrsaucier, is used to embed Google Maps into WordPress posts and pages. Any site that has one of these versions is susceptible to the vulnerability, regardless of the server environment or WordPress version.

The vulnerability carries a CVSS score of 7.1, indicating high severity. The EPSS score is below 1%, suggesting the likelihood of exploitation is low at present. It is not listed in the CISA KEV catalog. The exploit path is straightforward: an attacker merely needs to embed a malicious script into a URL parameter or otherwise influence the input that the plugin reflects back to the browser. Because the flaw is a reflected XSS, it does not require authentication or server-side compromise, and any user who visits the crafted URL is at risk.