The Mapster WP Maps plugin for WordPress is vulnerable to stored cross‑site scripting in versions up to 1.20.0 because it fails to sanitize and escape user input in several admin fields. An authenticated attacker with contributor permissions or higher can inject arbitrary scripts that are then stored in the database and served because the plugin outputs the values without escaping. The injected scripts run in the browser context of anyone visiting the affected page, enabling session hijacking, content theft, or site defacement. The weakness is a classic input validation flaw (CWE‑79).

WordPress sites that have the Mapster WP Maps plugin installed with a version equal to or older than 1.20.0 are affected. The plugin is provided by the vendor Mapster and is deployed as a WordPress plugin, so any site that installs it uses the vulnerable code path. No other products are listed as affected.

The vulnerability receives a CVSS score of 6.4, indicating moderate severity. The EPSS score is below 1 %, implying a very low probability of exploitation at the time of analysis, and it is not flagged in CISA’s KEV catalog. The attack requires an authenticated user with at least contributor privileges, so the risk is limited to sites with such roles available. If a user gains that access, the attacker can inject persistent scripts that execute on all subsequent page loads of visitors. The exploit path is straightforward: a contributor edits a map field, submits arbitrary JavaScript, and the plugin stores and later outputs it unescaped.