CVE-2015-7668
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
Cross-site scripting (XSS) vulnerability in includes/MapPinImageSave.php in the Easy2Map plugin before 1.3.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the map_id parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting in Easy2Map WordPress plugin's map_id parameter before 1.3.0 allows unauthenticated attackers to inject arbitrary scripts.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in the includes/MapPinImageSave.php file of the Easy2Map plugin for WordPress, affecting versions before 1.3.0. The map_id parameter is insufficiently sanitized before being output, allowing injection of arbitrary HTML or JavaScript. The plugin has been closed from the WordPress.org directory as of August 8, 2019 due to an unresolved security issue [1].
Exploitation
The attacker does not require authentication; they can craft a malicious URL containing the XSS payload in the map_id parameter and send it to a logged-in administrator. No special privileges or write access is needed. User interaction (clicking the link) is required for the payload to execute in the context of the victim's browser session.
Impact
Successful exploitation enables the attacker to execute arbitrary web scripts in the victim's browser. This can lead to session hijacking, defacement of the admin interface, or theft of sensitive data (e.g., cookies or nonces) within the WordPress admin context. The attack is limited to reflected XSS; it does not directly provide server-side code execution unless combined with another flaw.
Mitigation
The plugin was closed on August 8, 2019 and no patched version (1.3.0 or later) was ever officially distributed to address this issue. No workaround is available. Users must uninstall the plugin immediately and switch to an alternative mapping solution. The plugin is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3(expand)+ 1 more
- (no CPE)
- (no CPE)range: <1.3.0
Patches
0easy2mapThis plugin has been removed from the WordPress.org directory on 2019-08-08 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.securityfocus.com/archive/1/536598/100/0/threadednvdThird Party AdvisoryVDB Entry
- wordpress.org/plugins/easy2map/nvdRelease NotesThird Party Advisory
- wpvulndb.com/vulnerabilities/8205nvdThird Party Advisory
News mentions
0No linked articles in our index yet.