CVE-2026-39646

The Leaflet Map plugin for WordPress versions up to and including 3.4.4 contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This allows an attacker to inject arbitrary JavaScript or HTML into the plugin's map data, which is then executed in the browsers of visitors viewing the affected page.

Exploitation requires that an attacker with sufficient privileges—such as an editor or administrator—submit crafted input through the plugin's interface. The injected payload becomes permanently stored and automatically executed without further user interaction when site visitors load the page containing the map [1]. This makes the vulnerability suitable for mass-exploit campaigns targeting multiple WordPress sites.

The impact of successful exploitation includes the ability to redirect visitors to malicious sites, display unwanted advertisements, or steal sensitive session cookies, potentially compromising both site integrity and user privacy [1]. The vulnerability is classified as medium severity with a CVSS v3 score of 6.5.

As a mitigation, the vendor has released version 3.4.5 which remediates the issue by properly sanitizing input fields. Users are strongly advised to update the plugin immediately. For sites that cannot update promptly, engaging a hosting provider or web developer for temporary security measures is recommended [1]. Patchstack users can enable auto-updates for affected plugins.