AcuGIS Leaflet Maps CVE-2025-27278
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound AcuGIS Leaflet Maps allows Reflected XSS. This issue affects AcuGIS Leaflet Maps: from n/a through 5.1.1.0.
AnalysisAI
Reflected cross-site scripting in AcuGIS Leaflet Maps WordPress plugin (versions through 5.1.1.0) allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but no authentication, enabling potential session hijacking, credential theft, or malicious actions in the context of authenticated WordPress users. EPSS score of 0.09% (26th percentile) indicates low probability of mass exploitation, and no public exploit code has been identified at time of analysis.
Technical ContextAI
This is a classic reflected XSS vulnerability (CWE-79) in a WordPress plugin that provides interactive Leaflet mapping functionality. The plugin fails to properly sanitize user-supplied input before rendering it in HTML responses, allowing attackers to inject malicious JavaScript. The WordPress plugin ecosystem uses PHP for server-side rendering and JavaScript for client interactions - improper output encoding in PHP templates or AJAX handlers commonly leads to XSS. The CVSS vector indicates scope change (S:C), meaning the vulnerable component (plugin) operates in a different security context than the impacted component (user's browser session), typical of client-side injection attacks. AcuGIS Leaflet Maps integrates the open-source Leaflet.js library for map rendering, and vulnerabilities likely exist in custom PHP handlers that process map parameters, shortcode attributes, or AJAX endpoints without adequate validation.
Affected ProductsAI
AcuGIS Leaflet Maps WordPress plugin versions from earliest available release through version 5.1.1.0 are confirmed vulnerable per Patchstack advisory. The plugin slug is 'mapfig-premium-leaflet-map-maker' based on reference URLs. No CPE data is available in the provided intelligence. WordPress installations running this plugin on any version up to and including 5.1.1.0 should be considered at risk. The vulnerability affects both free and premium versions if distributed under the same codebase. Full vendor advisory available at https://patchstack.com/database/wordpress/plugin/mapfig-premium-leaflet-map-maker/vulnerability/wordpress-acugis-leaflet-maps-plugin-5-1-1-0-multiple-cross-site-scripting-xss-vulnerabilities.
RemediationAI
Upgrade AcuGIS Leaflet Maps plugin to version 5.1.1.1 or later if available - check the WordPress plugin repository or vendor site for patched releases. The Patchstack advisory URL (https://patchstack.com/database/wordpress/plugin/mapfig-premium-leaflet-map-maker/vulnerability/wordpress-acugis-leaflet-maps-plugin-5-1-1-0-multiple-cross-site-scripting-xss-vulnerabilities) should contain specific patch version information. If no patched version exists, implement compensating controls: restrict WordPress admin access to trusted IP ranges via .htaccess or firewall rules to limit phishing surface area; deploy Content Security Policy headers to block inline script execution (though this may break legitimate plugin functionality and requires testing); educate admin users to avoid clicking untrusted links while logged into WordPress; consider temporarily disabling the plugin if mapping functionality is non-critical until a patch is released. Web Application Firewall rules targeting common XSS patterns in query parameters may provide detection but can be bypassed with encoding variations. Monitor WordPress access logs for suspicious query string patterns containing script tags or JavaScript event handlers.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today