CVE-2026-27427

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the Geo Mashup WordPress plugin, versions from n/a through 1.13.18. The plugin fails to properly neutralize user input during web page generation, allowing injection of arbitrary HTML and JavaScript that gets stored on the server. The vulnerability is present in the plugin's handling of data contributed by users with certain privileges.

Exploitation

To exploit this vulnerability, an attacker needs a user role with sufficient privileges to submit or edit content using Geo Mashup (e.g., authors or editors). No special network position is required beyond normal web access. The attacker injects a malicious script payload into one of the plugin's input fields; this payload is stored and later rendered unsanitized. Successful exploitation additionally requires a privileged user (such as an administrator) to perform an action — such as viewing the injected page or previewing content — which triggers the stored script.

Impact

A successful attack allows the attacker to inject arbitrary scripts that execute in the browser of any visitor (including administrators) when they access the affected page. The attacker can then perform actions such as redirecting users to malicious sites, displaying misleading advertisements, or stealing session cookies. The scope of compromise remains within the WordPress site and its users; the attacker does not gain server-side code execution.

Mitigation

The vulnerability is fixed in version 1.13.19 of the Geo Mashup plugin. Users should update to this version or later immediately. For users unable to update, temporary workarounds include disabling the plugin or restricting the roles that can contribute content. Patchstack users can enable auto-updates for vulnerable plugins only [1]. No evidence of exploitation in the wild or KEV listing is currently available.