The MapSVG plugin (RomanCode) contains a stored cross‑site scripting flaw that allows an attacker to embed malicious JavaScript in site content. When a user views the affected map or page, the injected script executes in the victim’s browser, potentially yielding session hijacking, phishing, or defacement. This weakness is classified as CWE‑79 and represents a moderate‑to‑high risk to confidentiality, integrity, and availability of site data. The vulnerability is not limited to a single user—it can affect any visitor accessing the compromised content.

WordPress sites running the MapSVG plugin version 8.5.31 or earlier are vulnerable. This applies to all installations of the plugin distributed by RomanCode, regardless of the WordPress theme or other plugins in use. No specific operating system or WordPress core version is required for exploitation; the flaw resides solely within the plugin’s content handling.

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests low exploitation probability at the time of analysis. The vulnerability is not currently listed in the CISA KEV catalog. Based on the description, the likely attack vector is the plugin’s web‑based map editor or content management interface where user input is stored without proper neutralization. An attacker would need the ability to create or edit a map; once the malicious script is stored, any subsequent page view triggers the code in the victim’s context. The impact is widespread to all site visitors until the flaw is patched or mitigated.