CVE-2026-4389
Stored XSS in Leaflet Map WordPress Plugin Allows Script Injection
Publication date: 2026-03-26
Last updated on: 2026-03-26
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hupe13 | dsgvo-leaflet-map | to 3.1 (inc) |
| hupe13 | dsgvo-leaflet-map | From 3.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the DSGVO snippet for the Leaflet Map and its Extensions plugin for WordPress is a Stored Cross-Site Scripting (XSS) issue. It affects all versions up to and including 3.1. The problem arises because the plugin does not properly sanitize and escape user-supplied attributes (`unset`, `before`, `after`) in the shortcodes `leafext-cookie-time` and `leafext-delete-cookie`. This allows authenticated attackers with contributor-level access or higher to inject malicious scripts into pages. These scripts execute whenever any user accesses the infected page, potentially compromising user security.
How can this vulnerability impact me? :
This Stored Cross-Site Scripting vulnerability can allow an attacker with contributor-level access or above to inject arbitrary JavaScript into pages on your WordPress site. When other users visit these pages, the malicious scripts can execute in their browsers. This can lead to a range of impacts including theft of user credentials, session hijacking, unauthorized actions performed on behalf of users, and potential defacement or redirection to malicious sites. Because the vulnerability requires authenticated access, it primarily risks users with elevated privileges and visitors interacting with the affected pages.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability undermines the GDPR compliance goals of the DSGVO Leaflet Map plugin, which is designed to manage cookie consent and deletion securely. By allowing injection of malicious scripts via insufficient input sanitization and output escaping, it compromises the security and privacy protections intended by GDPR. This could lead to unauthorized access or manipulation of user data, violating GDPR requirements for data protection and user consent. While the plugin includes nonce verification and secure cookie handling to support compliance, the XSS vulnerability itself poses a risk to maintaining these standards until it is patched.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the DSGVO Leaflet Map WordPress plugin affecting shortcode attributes `unset`, `before`, and `after`. Detection involves identifying if your WordPress site uses the vulnerable plugin version (up to 3.1) and if these shortcodes are present in pages accessible by authenticated users with contributor-level access or higher.
Since the vulnerability involves injection of arbitrary scripts via shortcode attributes, detection can include reviewing pages or posts that use the `leafext-cookie-time` and `leafext-delete-cookie` shortcodes for suspicious or unexpected HTML or JavaScript code.
There are no explicit commands provided in the context to detect this vulnerability on a network or system. However, general approaches include:
- Check the installed version of the dsgvo-leaflet-map plugin to see if it is version 3.1 or earlier.
- Search your WordPress content database for usage of the shortcodes `[leafext-cookie-time]` and `[leafext-delete-cookie]`.
- Manually inspect or scan pages containing these shortcodes for injected scripts or unusual HTML in the attributes `unset`, `before`, or `after`.
Example WordPress CLI commands that might help (not provided in the context but typical for such detection):
- wp plugin list --status=active | grep dsgvo-leaflet-map
- wp post list --post_type=page,post --field=ID | xargs -I % wp post get % --field=post_content | grep -E '\[leafext-cookie-time|\[leafext-delete-cookie'
What immediate steps should I take to mitigate this vulnerability?
To mitigate the Stored Cross-Site Scripting vulnerability in the DSGVO Leaflet Map WordPress plugin, the immediate recommended step is to update the plugin to version 3.4 or later, where the vulnerability has been fixed.
The fix involves sanitizing and escaping all user-supplied shortcode attributes (`unset`, `before`, `after`) using WordPress functions such as `wp_kses_post()` and `esc_html()`, preventing injection of malicious scripts.
If updating immediately is not possible, consider temporarily disabling the plugin or removing usage of the vulnerable shortcodes until the update can be applied.
Additionally, ensure that only trusted users have contributor-level or higher access to the WordPress site, as the vulnerability requires authenticated access at that level.