Skip to main content

Geo Mashup EUVDEUVD-2026-31804

| CVE-2026-27427 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-26 Patchstack GHSA-7r8v-3xv6-7cm6
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 11:27 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dylan Kuhn Geo Mashup allows Stored XSS.

This issue affects Geo Mashup: from n/a through 1.13.18.

AnalysisAI

Stored XSS in the Geo Mashup WordPress plugin (versions through 1.13.18) allows authenticated low-privileged users to persistently inject malicious JavaScript into pages served by the affected site. When a higher-privileged user - such as an administrator - views the content containing the stored payload, the script executes in their browser under a changed scope, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit has been identified at time of analysis, and an EPSS of 0.03% (10th percentile) combined with SSVC exploitation status of 'none' confirms very low current real-world exploitation activity.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) identifies the root cause: user-supplied input accepted by the Geo Mashup plugin is stored in the WordPress database without adequate sanitization or output encoding, then rendered directly into HTML responses. Geo Mashup, developed by Dylan Kuhn, is a WordPress plugin that embeds geographic maps and location data into posts and pages. The CPE string cpe:2.3:a:dylan_kuhn:geo_mashup:*:*:*:*:*:*:*:* covers all versions up to and including 1.13.18. The CVSS scope change indicator (S:C) is expected for stored XSS - the injected script executes in the browser context of a different user than the one who submitted the payload, crossing security boundaries between contributor and administrative sessions.

RemediationAI

The primary fix is to update the Geo Mashup plugin to a version beyond 1.13.18 via the WordPress plugin dashboard or WordPress.org repository; however, an exact confirmed fixed release version is not present in the available input data - the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/geo-mashup/vulnerability/wordpress-geo-mashup-plugin-1-13-18-cross-site-scripting-xss-vulnerability should be consulted to confirm the specific patched version before deploying the update. As a compensating control pending the patch, restrict contributor and editor roles so that only fully trusted users can submit location or map content processed by the plugin; this eliminates the authenticated injection vector at the cost of limiting plugin functionality for lower-trust users. Enabling a WAF with XSS rule sets (e.g., Wordfence or Cloudflare WAF) can filter malicious payloads in transit, though legitimate map embed syntax may trigger false positives requiring rule tuning. Disabling the Geo Mashup plugin entirely removes the attack surface completely but eliminates all geo-mapping functionality.

Share

EUVD-2026-31804 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy