CVE-2025-27278

Vulnerability

Analysis

The AcuGIS Leaflet Maps plugin for WordPress (mapfig-premium-leaflet-map-maker) is vulnerable to Reflected Cross-Site Scripting (XSS) in versions up to and including 5.1.1.0. The root cause is improper neutralization of user-supplied input during web page generation [1]. This allows an attacker to inject arbitrary HTML and JavaScript code into a response page without proper sanitization.

Exploitation

Exploitation requires user interaction — a privileged user must click a malicious link or visit a crafted page that triggers the reflected payload [1]. The vulnerability is classified as High severity (CVSS 7.1) and is expected to be leveraged in mass-exploit campaigns targeting thousands of sites regardless of size or traffic [1]. No authentication is needed to deliver the malicious link, though successful injection depends on the victim's session.

Impact

An attacker can execute arbitrary scripts in the context of the victim's browser session, leading to actions such as redirecting visitors to malicious sites, injecting advertisements, or exfiltrating sensitive data [1]. This could degrade site integrity, harm visitor trust, or facilitate further attacks.

Mitigation

Users should update the plugin immediately if a patched version becomes available. The Patchstack advisory recommends applying mitigation rules to block attacks until an official patch can be safely deployed [1]. No workarounds are provided by the vendor.