CVE-2024-56267

High

Published: 02 January 2025

Published

02 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0014 34.3th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in html5maps Interactive UK Map interactive-uk-map allows Stored XSS.This issue affects Interactive UK Map: from n/a through <= 3.4.8.

Security Summary

CVE-2024-56267 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Stored Cross-site Scripting (XSS) under CWE-79, in the html5maps Interactive UK Map WordPress plugin (also referred to as interactive-uk-map). This issue affects all versions of the plugin up to and including 3.4.8.

The vulnerability can be exploited over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), and results in a changed scope (S:C) with low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), yielding a CVSS v3.1 base score of 7.1. Attackers can leverage CSRF to inject malicious payloads that are stored and executed when users, such as site administrators or visitors, interact with the affected interactive map feature.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/interactive-uk-map/vulnerability/wordpress-interactive-uk-map-plugin-3-4-8-csrf-to-stored-cross-site-scripting-xss-vulnerability?_s_id=cve documents the CSRF-to-Stored XSS vulnerability specifically in version 3.4.8 and provides details on affected installations for mitigation guidance.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/interactive-uk-map/vulnerability/wordpress-interactive-uk-map-plugin-3-4-8-csrf-to-stored-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com