The Simple Map No Api plugin for WordPress contains a stored cross‑site scripting flaw that arises from improper neutralization of user input during web page generation. An attacker who injects malicious JavaScript into input that the plugin accepts can have that script served to any browser that renders the affected page. The consequence is that the attacker can steal session cookies, deface content, or exfiltrate data from the victim’s browser environment. The weakness is classified as CWE-79.

Vulnerable versions include all releases of Mashi’s Simple Map No Api plugin up to and including version 1.9. This applies to WordPress installations that have the plugin installed and activated.

The CVSS score of 6.5 indicates a medium severity risk. The EPSS score of < 1% suggests that the likelihood of current exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an unauthenticated attacker submitting malicious data through a form or URL that the plugin stores for display; a victim visiting that page then receives and executes the injected script. Exploitation requires the plugin to be present and enabled, and the attacker benefits most when users have not applied proper privilege separation or input sanitization. The moderate severity and low exploitation probability still warrant prompt remediation to avoid potential credential theft or account takeover.