Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dylan Kuhn Geo Mashup allows Stored XSS.
This issue affects Geo Mashup: from n/a through 1.13.18.
AnalysisAI
Stored XSS in the Geo Mashup WordPress plugin (versions through 1.13.18) allows authenticated low-privileged users to persistently inject malicious JavaScript into pages served by the affected site. When a higher-privileged user - such as an administrator - views the content containing the stored payload, the script executes in their browser under a changed scope, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit has been identified at time of analysis, and an EPSS of 0.03% (10th percentile) combined with SSVC exploitation status of 'none' confirms very low current real-world exploitation activity.
Technical ContextAI
CWE-79 (Improper Neutralization of Input During Web Page Generation) identifies the root cause: user-supplied input accepted by the Geo Mashup plugin is stored in the WordPress database without adequate sanitization or output encoding, then rendered directly into HTML responses. Geo Mashup, developed by Dylan Kuhn, is a WordPress plugin that embeds geographic maps and location data into posts and pages. The CPE string cpe:2.3:a:dylan_kuhn:geo_mashup:*:*:*:*:*:*:*:* covers all versions up to and including 1.13.18. The CVSS scope change indicator (S:C) is expected for stored XSS - the injected script executes in the browser context of a different user than the one who submitted the payload, crossing security boundaries between contributor and administrative sessions.
RemediationAI
The primary fix is to update the Geo Mashup plugin to a version beyond 1.13.18 via the WordPress plugin dashboard or WordPress.org repository; however, an exact confirmed fixed release version is not present in the available input data - the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/geo-mashup/vulnerability/wordpress-geo-mashup-plugin-1-13-18-cross-site-scripting-xss-vulnerability should be consulted to confirm the specific patched version before deploying the update. As a compensating control pending the patch, restrict contributor and editor roles so that only fully trusted users can submit location or map content processed by the plugin; this eliminates the authenticated injection vector at the cost of limiting plugin functionality for lower-trust users. Enabling a WAF with XSS rule sets (e.g., Wordfence or Cloudflare WAF) can filter malicious payloads in transit, though legitimate map embed syntax may trigger false positives requiring rule tuning. Disabling the Geo Mashup plugin entirely removes the attack surface completely but eliminates all geo-mapping functionality.
More in Geo Mashup
View allThe Geo Mashup plugin before 1.10.4 for WordPress has insufficient sanitization of post editor and other user input. Rat
SQL injection in the Geo Mashup WordPress plugin (versions <= 1.13.19) allows authenticated users with Subscriber-level
Cross-site scripting (XSS) vulnerability in the geo search widget in the Geo Mashup plugin before 1.8.3 for WordPress al
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31804
GHSA-7r8v-3xv6-7cm6