The vulnerability is an improper neutralization of input during web page generation, specifically a stored cross‑site scripting flaw that permits an attacker to embed malicious code into the field’s content. When a page renders the content of the Yandex Maps Field, the input is output without adequate sanitization, enabling an attacker to execute arbitrary JavaScript in the context of that page. This can compromise user privacy, allow credential theft, or facilitate further attacks such as session hijacking.

The flaw affects Unreal Themes’ ACF: Yandex Maps Field plugin versions from the initial release through 1.1. Users running WordPress sites that have installed any of these affected plugin versions are at risk; the vulnerability resides solely in the plugin code and does not extend to WordPress core.

The CVSS score of 5.9 indicates a moderate severity. The EPSS score of < 1% suggests a low likelihood of exploitation at the moment, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because it is a stored XSS that can be triggered via any authenticated user who can input data into the affected field, an attacker requires write access to the plugin’s content but does not need elevated privileges. Once the malicious script is stored, every visitor to a page that displays the field will execute the code in their browser, potentially leading to data exfiltration or session compromise.