Skip to main content

AcuGIS Leaflet Maps CVE-2025-27278

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:51 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound AcuGIS Leaflet Maps allows Reflected XSS. This issue affects AcuGIS Leaflet Maps: from n/a through 5.1.1.0.

AnalysisAI

Reflected cross-site scripting in AcuGIS Leaflet Maps WordPress plugin (versions through 5.1.1.0) allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but no authentication, enabling potential session hijacking, credential theft, or malicious actions in the context of authenticated WordPress users. EPSS score of 0.09% (26th percentile) indicates low probability of mass exploitation, and no public exploit code has been identified at time of analysis.

Technical ContextAI

This is a classic reflected XSS vulnerability (CWE-79) in a WordPress plugin that provides interactive Leaflet mapping functionality. The plugin fails to properly sanitize user-supplied input before rendering it in HTML responses, allowing attackers to inject malicious JavaScript. The WordPress plugin ecosystem uses PHP for server-side rendering and JavaScript for client interactions - improper output encoding in PHP templates or AJAX handlers commonly leads to XSS. The CVSS vector indicates scope change (S:C), meaning the vulnerable component (plugin) operates in a different security context than the impacted component (user's browser session), typical of client-side injection attacks. AcuGIS Leaflet Maps integrates the open-source Leaflet.js library for map rendering, and vulnerabilities likely exist in custom PHP handlers that process map parameters, shortcode attributes, or AJAX endpoints without adequate validation.

Affected ProductsAI

AcuGIS Leaflet Maps WordPress plugin versions from earliest available release through version 5.1.1.0 are confirmed vulnerable per Patchstack advisory. The plugin slug is 'mapfig-premium-leaflet-map-maker' based on reference URLs. No CPE data is available in the provided intelligence. WordPress installations running this plugin on any version up to and including 5.1.1.0 should be considered at risk. The vulnerability affects both free and premium versions if distributed under the same codebase. Full vendor advisory available at https://patchstack.com/database/wordpress/plugin/mapfig-premium-leaflet-map-maker/vulnerability/wordpress-acugis-leaflet-maps-plugin-5-1-1-0-multiple-cross-site-scripting-xss-vulnerabilities.

RemediationAI

Upgrade AcuGIS Leaflet Maps plugin to version 5.1.1.1 or later if available - check the WordPress plugin repository or vendor site for patched releases. The Patchstack advisory URL (https://patchstack.com/database/wordpress/plugin/mapfig-premium-leaflet-map-maker/vulnerability/wordpress-acugis-leaflet-maps-plugin-5-1-1-0-multiple-cross-site-scripting-xss-vulnerabilities) should contain specific patch version information. If no patched version exists, implement compensating controls: restrict WordPress admin access to trusted IP ranges via .htaccess or firewall rules to limit phishing surface area; deploy Content Security Policy headers to block inline script execution (though this may break legitimate plugin functionality and requires testing); educate admin users to avoid clicking untrusted links while logged into WordPress; consider temporarily disabling the plugin if mapping functionality is non-critical until a patch is released. Web Application Firewall rules targeting common XSS patterns in query parameters may provide detection but can be bypassed with encoding variations. Monitor WordPress access logs for suspicious query string patterns containing script tags or JavaScript event handlers.

Share

CVE-2025-27278 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy