CVE-2026-42734

Vulnerability

The Geo Mashup WordPress plugin versions 1.13.19 and earlier fail to properly neutralize user-supplied input, leading to a reflected cross-site scripting (XSS) vulnerability [1]. An attacker can inject malicious scripts into a page that will be executed in the browser of a user who visits a crafted link. The vulnerable parameters are not detailed in the available references, but the issue applies to plugin versions from n/a through 1.13.19 inclusive [1].

Exploitation

Exploitation requires user interaction: a privileged WordPress user (such as an administrator) must be tricked into clicking a specially crafted link, visiting a maliciously constructed page, or submitting a form [1]. The attacker does not need prior authentication or special network position; the attack is initiated by luring the victim to the crafted request via email, social engineering, or another website [1].

Impact

A successful attack allows the attacker to inject arbitrary HTML and JavaScript into the victim's browser session within the context of the affected WordPress site. This can be used to perform actions such as redirecting visitors to malicious sites, displaying unwanted advertisements, stealing session cookies, or executing other payloads that could compromise the site's integrity and user trust [1].

Mitigation

Patched version 1.13.20 has been released to resolve the vulnerability. The vendor advises immediate update to version 1.13.20 or later [1]. For sites that cannot immediately update, Patchstack provides a mitigation rule to block attacks until the plugin is updated [1]. No other workarounds are listed in the available references.