The Arrow Maps plugin for WordPress contains a flaw in which user‑supplied data is echoed into page content without proper neutralization, creating a reflected cross‑site scripting vulnerability. This weakness allows an attacker to inject arbitrary JavaScript that will run in the browsers of visitors who view the affected page, potentially leading to defacement, credential theft or redirection to malicious sites. Classified as CWE‑79, the bug carries a CVSS score of 7.1. The likely attack vector is via a crafted URL or form input that triggers the plugin to output unescaped data, though the official description does not specify the exact parameter.

All installations of the Arrow Maps plugin developed by Arrow Plugins for WordPress are vulnerable, from the initial release through version 1.0.9. The plugin is identified in WordPress as Arrow Maps and remains exposed until updated.

The CVSS score of 7.1 indicates high severity, while the EPSS score of less than 1% reflects a low but non‑zero likelihood of exploitation. The flaw is not listed in the CISA KEV catalog, so no widely known exploits are documented. Exploitation requires that an attacker craft a malicious request that includes the vulnerable input and that a victim then accesses the page for the payload to execute, which is characteristic of reflected XSS risks in publicly accessible WordPress sites.