Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 100plugins Open User Map open-user-map allows DOM-Based XSS.This issue affects Open User Map: from n/a through <= 1.4.14.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Improper Neutralization of Input During Web Page Generation that enables DOM‑Based Cross‑Site Scripting in the 100plugins Open User Map plugin for WordPress. An attacker can inject malicious JavaScript that will run in the browsers of any user who opens a page containing the flaw, potentially allowing manipulation of the page or exfiltration of data from the victim’s session. The description does not specify particular consequences beyond script execution, but the impact is consistent with typical XSS risks.

Affected Systems

WordPress sites running the Open User Map plugin from the 100plugins vendor are affected. All installations with a plugin version from the initial release up to and including 1.4.14 require remediation.

Risk and Exploitability

The CVSS score of 6.5 reflects a moderate to high potential impact. The EPSS score is less than 1 %, indicating a low probability of current exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is inferred to be a crafted URL or input that the plugin reflects in the DOM without proper sanitization, enabling DOM‑based XSS.

Generated by OpenCVE AI on April 30, 2026 at 06:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Open User Map plugin to version 1.4.15 or later.
  • If upgrading is not feasible, disable or remove the plugin to eliminate the vulnerable code.
  • Keep WordPress core and all other plugins updated to reduce overall XSS risk and ensure any platform‑wide mitigations are applied.

Generated by OpenCVE AI on April 30, 2026 at 06:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30704 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 100plugins Open User Map allows DOM-Based XSS. This issue affects Open User Map: from n/a through 1.4.14.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 100plugins Open User Map allows DOM-Based XSS. This issue affects Open User Map: from n/a through 1.4.14. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 100plugins Open User Map open-user-map allows DOM-Based XSS.This issue affects Open User Map: from n/a through <= 1.4.14.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 24 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared 100plugins
100plugins open User Map
Wordpress
Wordpress wordpress
Vendors & Products 100plugins
100plugins open User Map
Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 100plugins Open User Map allows DOM-Based XSS. This issue affects Open User Map: from n/a through 1.4.14.
Title WordPress Open User Map Plugin <= 1.4.14 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

100plugins Open User Map
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:39.286Z

Reserved: 2025-08-22T11:36:40.761Z

Link: CVE-2025-57953

cve-icon Vulnrichment

Updated: 2025-09-24T13:49:06.379Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:15:53.763

Modified: 2026-04-23T15:33:07.450

Link: CVE-2025-57953

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T06:30:29Z

Weaknesses