Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bozdoz Leaflet Map leaflet-map allows Stored XSS.This issue affects Leaflet Map: from n/a through <= 3.4.4.
AnalysisAI
Stored cross-site scripting (XSS) in bozdoz Leaflet Map WordPress plugin versions up to 3.4.4 allows authenticated attackers with low privileges to inject malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, credential theft, or website defacement. The vulnerability has a low EPSS score (0.03%, 8th percentile) suggesting minimal real-world exploitation likelihood despite moderate CVSS severity, and no public exploit code or active exploitation has been confirmed.
Technical ContextAI
The vulnerability stems from improper neutralization of user-supplied input during web page generation (CWE-79), a classic stored XSS flaw where the Leaflet Map plugin fails to adequately sanitize or escape user input before rendering it in HTML output. This allows an authenticated user with low-level WordPress permissions (PR:L in CVSS vector) to craft malicious payloads that persist in the application's database. When other users, including administrators, view pages containing the injected content, the JavaScript executes in their browser context with the site's same-origin privileges. The CPE identifier cpe:2.3:a:bozdoz:leaflet_map indicates this affects the bozdoz Leaflet Map product family across all configurations, platforms, and languages in the affected version range.
RemediationAI
Update the bozdoz Leaflet Map plugin to a version newer than 3.4.4 immediately. WordPress administrators should navigate to Plugins → Installed Plugins, locate Leaflet Map, and select 'Update' if a patched version is available in the WordPress.org plugin repository. If no update is yet available from the plugin author, disable the plugin temporarily and consider alternative map embedding solutions until a patch is released. Review plugin access controls and ensure only trusted administrators have permissions to create or modify map content pending a vendor-released patch. The official vulnerability report and patch status can be verified through Patchstack's database entry and the NVD advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-39646
More in Leaflet Map
View allThe Leaflet Map WordPress plugin before 3.0.0 does not verify the CSRF nonce when saving its settings, which allows atta
The Leaflet Map WordPress plugin before 3.0.0 does not escape some shortcode attributes before they are used in JavaScri
The Leaflet Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20307
GHSA-jggj-35mq-63v8