An authenticated or unauthenticated attacker can craft a request that takes advantage of the plugin’s missing CSRF protection, causing the WordPress site to store an arbitrary JavaScript string in the database. When the site renders that content, the injected script runs in the browser of any visitor. This stored XSS could be used to modify site appearance, steal session cookies, redirect users, or deliver malware, thereby impacting confidentiality, integrity, and availability of the web application.

The vulnerability exists in the Interactive US Map plugin for WordPress, affecting all installations running version 2.7 or earlier. Site owners who have installed the plugin and allow content entry via the map widget or related admin pages are exposed.

The CVSS score of 7.1 indicates a moderate severity and the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. Because the vulnerability is not listed in the CISA KEV catalogue, there are no confirmed exploits yet. Attackers can feasibly exploit the flaw by hosting a malicious page that triggers the vulnerable plugin’s endpoint, with the victim’s browser submitting the crafted request. Successful exploitation requires that the victim has permission to submit content via the map widget or that the site accepts unauthenticated submissions, after which the stored script will affect all users who view the affected page.