Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dylan Kuhn Geo Mashup geo-mashup allows Reflected XSS.This issue affects Geo Mashup: from n/a through <= 1.13.19.
Published: 2026-05-27
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Geo Mashup plugin for WordPress fails to neutralize user-supplied data that is later rendered in web pages, enabling attackers to inject malicious script in the form of reflected XSS. Such an injection allows an attacker to execute code in a victim's browser, potentially leading to session hijacking, credential theft, or page defacement. The weakness is classified as CWE‑79.

Affected Systems

The vulnerability exists in the Geo Mashup plugin developed by Dylan Kuhn. All versions up to and including 1.13.19 are affected; later releases are not known to contain the flaw.

Risk and Exploitability

The CVSS base score of 7.1 reflects the high impact of an untrusted input leading to reflected XSS. Exploitation is feasible remotely via the public web interface, with no authentication or additional privileges required. Although an EPSS score is not available and the flaw is not listed in the CISA KEV catalog, the prevalence of WordPress sites using this plugin indicates a substantial risk of exploitation in the wild.

Generated by OpenCVE AI on May 27, 2026 at 11:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Geo Mashup plugin to a version newer than 1.13.19 or a release where the input sanitization is fixed.
  • If an upgrade is not immediately possible, deploy a web application firewall that blocks or sanitizes script tags and other disallowed payloads before they reach the plugin.
  • Configure a content‑security‑policy header that restricts script execution to trusted origins, mitigating the impact of any residual XSS injection attempts.

Generated by OpenCVE AI on May 27, 2026 at 11:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Dylan Kuhn
Dylan Kuhn geo Mashup
Wordpress
Wordpress wordpress
Vendors & Products Dylan Kuhn
Dylan Kuhn geo Mashup
Wordpress
Wordpress wordpress

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dylan Kuhn Geo Mashup geo-mashup allows Reflected XSS.This issue affects Geo Mashup: from n/a through <= 1.13.19.
Title WordPress Geo Mashup plugin <= 1.13.19 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Dylan Kuhn Geo Mashup
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-27T10:54:32.385Z

Reserved: 2026-04-29T09:05:25.570Z

Link: CVE-2026-42734

cve-icon Vulnrichment

Updated: 2026-05-27T10:54:27.267Z

cve-icon NVD

Status : Received

Published: 2026-05-27T11:16:19.997

Modified: 2026-05-27T11:16:19.997

Link: CVE-2026-42734

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T11:30:25Z

Weaknesses