Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bernd Altmeier Google Maps GPX Viewer google-maps-gpx-viewer allows Reflected XSS.This issue affects Google Maps GPX Viewer: from n/a through <= 3.6.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Google Maps GPX Viewer plugin for WordPress contains an input handling flaw that improperly neutralizes user supplied data. When a maliciously crafted URL is requested, the plugin reflects the supplied value back into the generated web page without escaping it, creating a reflected cross‑site scripting (XSS) vulnerability. This enables an attacker to inject and execute arbitrary client‑side scripts in the browser of any user who opens the page, potentially allowing cookie theft, session hijacking or other site‑wide attacks.

Affected Systems

All releases of the Bernd Altmeier Google Maps GPX Viewer plugin from the earliest available version through version 3.6 are affected. The plugin is installed on WordPress sites that use it to display GPX tracks and maps.

Risk and Exploitability

The flaw receives a CVSS score of 7.1, indicating high severity, and an EPSS score of less than 1 %, suggesting low exploitation probability. It is not listed in the CISA KEV catalog. The vulnerability is a reflected XSS, so an attacker can exploit it remotely by luring a user to visit a crafted link or embedding the malicious payload in a phish or social‑engineering scenario. No authentication or privileged access is required for exploitation.

Generated by OpenCVE AI on May 1, 2026 at 09:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Google Maps GPX Viewer plugin to the latest version, which removes the unescaped parameter handling.
  • If an upgrade is not immediately possible, enforce input validation or enable a web application firewall rule that blocks script tags and other dangerous characters in URL parameters for this plugin.
  • Deploy a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted domains, limiting the impact of any remaining XSS vectors.

Generated by OpenCVE AI on May 1, 2026 at 09:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11633 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bernd Altmeier Google Maps GPX Viewer allows Reflected XSS. This issue affects Google Maps GPX Viewer: from n/a through 3.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bernd Altmeier Google Maps GPX Viewer allows Reflected XSS. This issue affects Google Maps GPX Viewer: from n/a through 3.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bernd Altmeier Google Maps GPX Viewer google-maps-gpx-viewer allows Reflected XSS.This issue affects Google Maps GPX Viewer: from n/a through <= 3.6.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bernd Altmeier Google Maps GPX Viewer allows Reflected XSS. This issue affects Google Maps GPX Viewer: from n/a through 3.6.
Title WordPress Google Maps GPX Viewer Plugin <= 3.6 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:47.900Z

Reserved: 2025-02-21T16:45:40.232Z

Link: CVE-2025-27313

cve-icon Vulnrichment

Updated: 2025-04-17T17:44:37.091Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:36.980

Modified: 2026-06-17T09:03:23.000

Link: CVE-2025-27313

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:45:07Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')