CVE-2026-5451

Vulnerability

Details

The Extensions for Leaflet Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 4.14. The flaw resides in the 'elevation-track' shortcode, where user-supplied attributes are not properly sanitized or escaped before being stored and later rendered. This insufficient input handling allows the injection of arbitrary JavaScript or HTML into page content [1].

Exploitation

Prerequisites

An attacker must have at least Contributor-level access to the WordPress site (i.e., an authenticated user with the ability to publish or edit posts/pages). The attacker then inserts a crafted 'elevation-track' shortcode with malicious payloads into an attribute. No special network position or administrative privileges are required; the injection occurs when the content is saved and later viewed by another user [1].

Impact

When a victim — typically a site visitor or other user — accesses a page containing the injected shortcode, the attacker's script executes in the context of the victim's browser. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The impact is amplified because the injected script runs automatically without user interaction, affecting any role that visits the compromised page [1].

Mitigation

The vendor has not released a patched version as of the publication date; users are advised to upgrade once available. No workarounds are documented, but limiting Contributor-level user trust and auditing shortcode usage can reduce risk. This CVE is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1].