CVE-2025-28858

CVE-2025-28858 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-Site Scripting (XSS) as classified under CWE-79, in the Arrow Maps (ap-google-maps) WordPress plugin developed by Arrow Plugins. This flaw affects all versions of the plugin from n/a through 1.0.9. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), reflecting its high severity due to network accessibility, low attack complexity, lack of required privileges, user interaction dependency, and changed scope.

Remote attackers without privileges can exploit this vulnerability by crafting malicious inputs or links that are reflected unsanitized in the plugin's web page generation. Exploitation requires tricking a user, such as a site visitor or administrator, into interacting with the payload (e.g., clicking a link). Successful attacks execute arbitrary JavaScript in the victim's browser context, potentially compromising session data, with low impacts on confidentiality, integrity, and availability but amplified by the scope change to other users or resources.

Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/ap-google-maps/vulnerability/wordpress-arrow-maps-plugin-1-0-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS issue specifically in Arrow Maps plugin version 1.0.9, providing details for WordPress security practitioners on the vulnerability.