Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows DOM-Based XSS.This issue affects MapSVG: from n/a through <= 8.7.22.
Published: 2025-10-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a DOM‑based XSS flaw in the RomanCode MapSVG plugin that allows an attacker to inject malicious JavaScript into web pages rendered by the plugin. This can lead to theft of session cookies, defacement of content, or drive‑by compromise of site visitors. The weakness is identified as CWE‑79 and is noted to affect all releases up to version 8.7.22.

Affected Systems

The affected component is the WordPress plugin MapSVG (mapsvg‑lite‑interactive‑vector‑maps) provided by RomanCode, available in all versions prior to and including 8.7.22. No specific OS or server configuration is listed, but any WordPress installation deploying this plugin is at risk.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate impact. The EPSS score is less than 1%, suggesting that real‑world exploitation is unlikely at this time, and the vulnerability is not present in the CISA KEV catalog. Attackers would need to trick a user into interacting with a crafted URL or page that loads the plugin’s data; the flaw is entered client‑side and does not require privileged access. The absence of a remote code execution vector keeps the risk lower, but because XSS can be leveraged for credential theft or phishing, administrators should treat it with caution.

Generated by OpenCVE AI on April 29, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MapSVG plugin to version 8.7.23 or later, which contains the XSS fix.
  • If an upgrade is not immediately possible, block or sanitize the plugin’s output by applying a web application firewall rule to reject script payloads.
  • Consider disabling the plugin or removing the affected pages from public reach until the patch is applied.

Generated by OpenCVE AI on April 29, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows DOM-Based XSS.This issue affects MapSVG: from n/a through <= 8.7.15. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows DOM-Based XSS.This issue affects MapSVG: from n/a through <= 8.7.22.
Title WordPress MapSVG plugin <= 8.7.15 - Cross Site Scripting (XSS) vulnerability WordPress MapSVG plugin <= 8.7.22 - Cross Site Scripting (XSS) vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Mapsvg
Mapsvg mapsvg
Wordpress
Wordpress wordpress
Vendors & Products Mapsvg
Mapsvg mapsvg
Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 02:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows DOM-Based XSS.This issue affects MapSVG: from n/a through <= 8.7.15.
Title WordPress MapSVG plugin <= 8.7.15 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Mapsvg Mapsvg
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:06.257Z

Reserved: 2025-10-24T14:24:41.997Z

Link: CVE-2025-62930

cve-icon Vulnrichment

Updated: 2025-10-27T15:14:29.200Z

cve-icon NVD

Status : Deferred

Published: 2025-10-27T02:15:52.740

Modified: 2026-04-27T17:16:35.060

Link: CVE-2025-62930

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T20:45:19Z

Weaknesses