CVE-2025-62930

MEDIUM
2025-10-27 [email protected]
WordPress PHP XSS
6.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Oct 27, 2025 - 02:15 nvd
MEDIUM 6.1

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RomanCode MapSVG mapsvg-lite-interactive-vector-maps allows DOM-Based XSS.This issue affects MapSVG: from n/a through <= 8.7.22.

AnalysisAI

DOM-based cross-site scripting (XSS) in RomanCode MapSVG WordPress plugin versions up to 8.7.22 allows remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability requires user interaction (UI:R) and affects the confidentiality and integrity of web sessions. Although the CVSS score is 6.1 (medium), the EPSS exploitation probability is very low at 0.02%, and no public exploit code or active exploitation has been identified; this suggests the practical attack likelihood is minimal despite the moderate CVSS rating.

Technical ContextAI

The vulnerability stems from improper input neutralization during dynamic web page generation, classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). MapSVG is a WordPress plugin that generates interactive SVG-based vector maps. The DOM-based XSS occurs when user-controlled input is rendered into the DOM without adequate sanitization or output encoding, allowing attackers to inject arbitrary JavaScript that executes in the context of affected users' browsers. The attack vector is network-based, requires no special privileges (PR:N), but does require user interaction (UI:R), such as clicking a malicious link or visiting a compromised page.

Affected ProductsAI

RomanCode MapSVG (mapsvg-lite-interactive-vector-maps WordPress plugin) versions from an unspecified starting point through version 8.7.22 inclusive are affected. The plugin is available via the WordPress Plugin Directory and distributed under the RomanCode brand. Affected users should identify their installed version in the WordPress plugins management interface or via wp-cli; any version numbered 8.7.22 or earlier requires remediation.

RemediationAI

Update the MapSVG plugin to a version newer than 8.7.22 via the WordPress plugin management dashboard (Plugins > Installed Plugins > MapSVG, then click Update if available) or via command line using wp-cli. If a patched version number is not yet publicly released, check the plugin's changelog on wordpress.org/plugins/mapsvg-lite-interactive-vector-maps or contact RomanCode directly for guidance. As an interim measure, restrict plugin functionality to trusted administrators only and limit user input sources that feed into map generation until a patch is confirmed available. See https://patchstack.com/database/Wordpress/Plugin/mapsvg-lite-interactive-vector-maps/vulnerability/wordpress-mapsvg-plugin-8-7-15-cross-site-scripting-xss-vulnerability for vendor advisory details.

Share

CVE-2025-62930 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy