CVE-2025-15345: XSS in MapGeo – Interactive Geo Maps
Platform
wordpress
Component
interactive-geo-maps
Fixed in
1.6.28
CVE-2025-15345 identifies a Reflected Cross-Site Scripting (XSS) vulnerability affecting the MapGeo – Interactive Geo Maps plugin for WordPress. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages. The issue impacts versions 1.0.0 through 1.6.27, and a patch is available in version 1.6.28.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
Successful exploitation of CVE-2025-15345 allows an attacker to execute malicious JavaScript code within the context of a user's browser. This can lead to various consequences, including session hijacking, credential theft, and defacement of the affected WordPress site. Attackers could craft malicious links containing the injected script and trick users into clicking them, leading to the execution of the attacker's code. The impact is amplified if the website handles sensitive user data or financial transactions, as attackers could potentially steal this information. This vulnerability shares similarities with other XSS vulnerabilities where user input is not properly sanitized before being displayed, leading to code injection.
Exploitation Context
CVE-2025-15345 was published on 2026-05-14. Its severity is currently assessed as Medium (CVSS 6.1). No public Proof-of-Concept (POC) exploits have been publicly disclosed at the time of writing, but the vulnerability's nature makes it likely that such exploits will emerge. There are no indications of active exploitation campaigns targeting this vulnerability at this time. Refer to the WordPress security advisory for further details.
Threat Intelligence
Exploit Status
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- Required — victim must take an action: open a file, click a link, or visit a crafted page.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- Low — partial or indirect data access. Attacker gains limited information.
- Integrity
- Low — attacker can modify some data with limited scope or impact.
- Availability
- None — no availability impact. Service remains fully operational.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
Mitigation and Workarounds
The primary mitigation for CVE-2025-15345 is to immediately upgrade the MapGeo – Interactive Geo Maps plugin to version 1.6.28 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious characters in the 'map' parameter. Additionally, carefully review any user input used in the display-map shortcode and ensure proper input sanitization and output escaping are implemented. Regularly scan your WordPress installation for vulnerable plugins using security scanning tools.
How to fix
Update to version 1.6.28, or a newer patched version
Frequently asked questions
What is CVE-2025-15345 — XSS in MapGeo – Interactive Geo Maps?
CVE-2025-15345 is a Reflected Cross-Site Scripting (XSS) vulnerability in the MapGeo WordPress plugin, allowing attackers to inject malicious scripts via the 'map' parameter. It affects versions 1.0.0 through 1.6.27.
Am I affected by CVE-2025-15345 in MapGeo – Interactive Geo Maps?
You are affected if you are using the MapGeo plugin in WordPress versions 1.0.0 to 1.6.27. Check your plugin version immediately and upgrade if necessary.
How do I fix CVE-2025-15345 in MapGeo – Interactive Geo Maps?
Upgrade the MapGeo plugin to version 1.6.28 or later to resolve the vulnerability. Consider implementing a WAF rule as a temporary mitigation if immediate upgrade is not possible.
Is CVE-2025-15345 being actively exploited?
There are currently no public reports of active exploitation campaigns targeting CVE-2025-15345, but the vulnerability's nature makes it a potential target.
Where can I find the official MapGeo advisory for CVE-2025-15345?
Refer to the WordPress security advisory and the MapGeo plugin's official website for the latest information and updates regarding CVE-2025-15345.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Scan your WordPress project now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...