Description
Unauthenticated Cross Site Scripting (XSS) in MapPress Maps for WordPress <= 2.97.3 versions.
Published: 2026-06-26
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated Cross Site Scripting flaw in the MapPress Maps for WordPress plugin versions 2.97.3 and earlier. It allows an attacker to inject arbitrary JavaScript or malicious content into web pages that load the plugin. This can expose sensitive data or perform unintended actions when site visitors load the affected pages, because the code runs in the context of the victims' browsers. The weakness is caused by insufficient sanitization of user‑supplied input, as classified by CWE‑79.

Affected Systems

The issue affects installations of the MapPress Maps for WordPress plugin developed by Chris Richardson. All sites running version 2.97.3 or older of the plugin are vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, reflecting that unauthenticated attackers can exploit the flaw without additional access. The EPSS score is not available, so the exact exploitation likelihood is unknown, and the KEV status shows no confirmed widespread exploitation. The likely attack vector is through crafted URLs or input fields that the plugin processes without proper filtering, enabling attackers to embed malicious scripts that run in the browsers of all site visitors.

Generated by OpenCVE AI on June 26, 2026 at 17:50 UTC.

Remediation

Vendor Solution

Update the WordPress MapPress Maps for WordPress Plugin to the latest available version (at least 2.97.4).

OpenCVE Recommended Actions

  • Update the MapPress Maps plugin to version 2.97.4 or newer.
  • If an update cannot be applied immediately, temporarily disable the plugin to block exposure.
  • Continuously check the official vendor website or plugin repository for updates and apply any future fixes as soon as they become available.

Generated by OpenCVE AI on June 26, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in MapPress Maps for WordPress <= 2.97.3 versions.
Title WordPress MapPress Maps for WordPress plugin <= 2.97.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T17:04:26.616Z

Reserved: 2026-06-18T09:31:56.471Z

Link: CVE-2026-56011

cve-icon Vulnrichment

Updated: 2026-06-26T17:03:54.111Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T18:00:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')