Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MapGeo Interactive Geo Maps interactive-geo-maps allows Reflected XSS.This issue affects Interactive Geo Maps: from n/a through <= 1.6.24.
Published: 2025-04-11
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of user input during page rendering that lets an attacker inject and execute arbitrary JavaScript in a victim’s browser. A successful exploit can result in defacement, cookie theft, or session hijacking, compromising confidentiality, integrity, and availability of the site for the affected user. The weakness is a classic input validation failure catalogued as CWE‑79.

Affected Systems

The flaw is present in the MapGeo Interactive Geo Maps WordPress plugin in all releases up to and including version 1.6.24. Any WordPress site that has a vulnerable version installed is at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, yet the EPSS score of less than 1% shows exploitation attempts are currently rare. Based on the description, it is inferred that the likely attack vector is a malicious URL containing query parameters that are reflected back into the page, and an attacker could also entice a user to visit such a link or exploit a CSRF context to trigger the code. The vulnerability is not listed in the CISA KEV catalog, which suggests a lower public awareness of active attacks at this time.

Generated by OpenCVE AI on May 2, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Interactive Geo Maps plugin to a release newer than 1.6.24, such as 1.6.25 or later
  • If an update cannot be applied immediately, disable or remove the plugin from the site
  • Restrict the plugin’s input and map functionalities to trusted administrators or specified user roles

Generated by OpenCVE AI on May 2, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10786 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in interactivegeomaps Interactive Geo Maps allows Reflected XSS. This issue affects Interactive Geo Maps: from n/a through 1.6.24.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in interactivegeomaps Interactive Geo Maps allows Reflected XSS. This issue affects Interactive Geo Maps: from n/a through 1.6.24. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MapGeo Interactive Geo Maps interactive-geo-maps allows Reflected XSS.This issue affects Interactive Geo Maps: from n/a through <= 1.6.24.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 11 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 11 Apr 2025 09:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in interactivegeomaps Interactive Geo Maps allows Reflected XSS. This issue affects Interactive Geo Maps: from n/a through 1.6.24.
Title WordPress Interactive Geo Maps plugin <= 1.6.24 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:23.653Z

Reserved: 2025-04-09T11:19:35.669Z

Link: CVE-2025-32525

cve-icon Vulnrichment

Updated: 2025-04-11T15:09:21.399Z

cve-icon NVD

Status : Deferred

Published: 2025-04-11T09:15:24.880

Modified: 2026-04-23T15:29:02.620

Link: CVE-2025-32525

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T02:30:25Z

Weaknesses