The vulnerability is a stored cross‑site scripting flaw that occurs when malicious input is not properly neutralized before being embedded in a web page generated by the WP Mapbox GL JS Maps plugin. An attacker can inject arbitrary JavaScript that will execute in the browser context of any user viewing a page that includes the compromised map, allowing session hijacking, credential theft, or defacement. The weakness (CWE‑79) satisfies the prerequisites for a stored XSS: the input is persisted and later reflected without sanitization, resulting in a breach of confidentiality and integrity for end‑users.

This issue affects the WordPress WP Mapbox GL JS Maps plugin, developed by tempranova, in all releases up to and including 3.0.1. It is inferred that earlier releases are also affected because the description lists no lower bound and the core map rendering logic has not changed prior to the first patched release.

The plugin’s CVSS score of 6.5 indicates moderate severity while the EPSS score of less than 1% shows a very low probability that the vulnerability will be actively exploited. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector requires the attacker to supply malicious input that is stored by the plugin—either through an administrative interface or a crafted POST request—and then provoke the target site to render that data, which can be achieved by visiting a page that includes a map rendered by the plugin.