CVE-2025-27278

CVE-2025-27278 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the AcuGIS Leaflet Maps WordPress plugin (mapfig-premium-leaflet-map-maker) developed by David Ghedini. The issue affects all versions from n/a through 5.1.1.0 and was published on 2025-03-03.

The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating exploitation is possible by unauthenticated attackers over the network with low attack complexity, though it requires user interaction such as clicking a malicious link. Successful exploitation enables reflected XSS, allowing attackers to inject and execute arbitrary scripts in the context of the victim's browser, with low impacts on confidentiality, integrity, and availability within a changed scope.

Advisories, including the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/mapfig-premium-leaflet-map-maker/vulnerability/wordpress-acugis-leaflet-maps-plugin-5-1-1-0-multiple-cross-site-scripting-xss-vulnerabilities?_s_id=cve, document the vulnerability and provide details on affected WordPress plugin versions for mitigation guidance.