Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in highwarden Super Interactive Maps super-interactive-maps allows Reflected XSS.This issue affects Super Interactive Maps: from n/a through <= 2.3.
Published: 2026-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input during web page generation allows attackers to inject arbitrary JavaScript into pages served by the Highwarden Super Interactive Maps WordPress plugin. This reflected XSS can execute in a user’s browser when the user visits a crafted URL, enabling potential cookie theft, session hijacking, or page defacement. The flaw is classified as CWE‑79, and the CVSS score of 7.1 indicates a high severity.

Affected Systems

Highwarden’s Super Interactive Maps WordPress plugin is affected in all releases up to and including version 2.3. Anyone using any of those plugin versions on a publicly accessible site is at risk. The plugin renders map content directly in the front‑end, so the vulnerability is reachable through the normal user interface.

Risk and Exploitability

The EPSS score of less than 1% suggests that widespread exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector appears to be a reflected XSS via a URL parameter; a malicious link can be embedded in, for example, a search field or a shared page. When a user visits the crafted link, the injected script runs in the context of the victim’s browser, potentially compromising credentials or other sensitive information.

Generated by OpenCVE AI on May 1, 2026 at 05:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to a version newer than 2.3, once a patch is released by Highwarden.
  • If an update is not available, disable or uninstall the Super Interactive Maps plugin to eliminate the vulnerable code path.
  • Deploy a Web Application Firewall (WAF) or use a security plugin to filter and block XSS payloads targeting the plugin’s map endpoints.

Generated by OpenCVE AI on May 1, 2026 at 05:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 26 Jan 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in highwarden Super Interactive Maps super-interactive-maps allows Reflected XSS.This issue affects Super Interactive Maps: from n/a through <= 2.3.
Title WordPress Super Interactive Maps plugin <= 2.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:58.046Z

Reserved: 2025-05-30T14:04:26.751Z

Link: CVE-2025-49045

cve-icon Vulnrichment

Updated: 2026-01-26T22:00:50.391Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:15:55.407

Modified: 2026-06-17T09:30:42.437

Link: CVE-2025-49045

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:00:13Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')