CVE-2026-4389
Received Received - Intake
Stored XSS in Leaflet Map WordPress Plugin Allows Script Injection

Publication date: 2026-03-26

Last updated on: 2026-03-26

Assigner: Wordfence

Description
The DSGVO snippet for Leaflet Map and its Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `leafext-cookie-time` and `leafext-delete-cookie` shortcodes in all versions up to, and including, 3.1. This is due to insufficient input sanitization and output escaping on user supplied attributes (`unset`, `before`, `after`). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4389
EUVD
EUVD-2026-16106
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
hupe13 dsgvo-leaflet-map to 3.1 (inc)
hupe13 dsgvo-leaflet-map From 3.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the DSGVO snippet for the Leaflet Map and its Extensions plugin for WordPress is a Stored Cross-Site Scripting (XSS) issue. It affects all versions up to and including 3.1. The problem arises because the plugin does not properly sanitize and escape user-supplied attributes (`unset`, `before`, `after`) in the shortcodes `leafext-cookie-time` and `leafext-delete-cookie`. This allows authenticated attackers with contributor-level access or higher to inject malicious scripts into pages. These scripts execute whenever any user accesses the infected page, potentially compromising user security.

Impact Analysis

This Stored Cross-Site Scripting vulnerability can allow an attacker with contributor-level access or above to inject arbitrary JavaScript into pages on your WordPress site. When other users visit these pages, the malicious scripts can execute in their browsers. This can lead to a range of impacts including theft of user credentials, session hijacking, unauthorized actions performed on behalf of users, and potential defacement or redirection to malicious sites. Because the vulnerability requires authenticated access, it primarily risks users with elevated privileges and visitors interacting with the affected pages.

Compliance Impact

The vulnerability undermines the GDPR compliance goals of the DSGVO Leaflet Map plugin, which is designed to manage cookie consent and deletion securely. By allowing injection of malicious scripts via insufficient input sanitization and output escaping, it compromises the security and privacy protections intended by GDPR. This could lead to unauthorized access or manipulation of user data, violating GDPR requirements for data protection and user consent. While the plugin includes nonce verification and secure cookie handling to support compliance, the XSS vulnerability itself poses a risk to maintaining these standards until it is patched.

Detection Guidance

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the DSGVO Leaflet Map WordPress plugin affecting shortcode attributes `unset`, `before`, and `after`. Detection involves identifying if your WordPress site uses the vulnerable plugin version (up to 3.1) and if these shortcodes are present in pages accessible by authenticated users with contributor-level access or higher.

Since the vulnerability involves injection of arbitrary scripts via shortcode attributes, detection can include reviewing pages or posts that use the `leafext-cookie-time` and `leafext-delete-cookie` shortcodes for suspicious or unexpected HTML or JavaScript code.

There are no explicit commands provided in the context to detect this vulnerability on a network or system. However, general approaches include:

  • Check the installed version of the dsgvo-leaflet-map plugin to see if it is version 3.1 or earlier.
  • Search your WordPress content database for usage of the shortcodes `[leafext-cookie-time]` and `[leafext-delete-cookie]`.
  • Manually inspect or scan pages containing these shortcodes for injected scripts or unusual HTML in the attributes `unset`, `before`, or `after`.

Example WordPress CLI commands that might help (not provided in the context but typical for such detection):

  • wp plugin list --status=active | grep dsgvo-leaflet-map
  • wp post list --post_type=page,post --field=ID | xargs -I % wp post get % --field=post_content | grep -E '\[leafext-cookie-time|\[leafext-delete-cookie'
Mitigation Strategies

To mitigate the Stored Cross-Site Scripting vulnerability in the DSGVO Leaflet Map WordPress plugin, the immediate recommended step is to update the plugin to version 3.4 or later, where the vulnerability has been fixed.

The fix involves sanitizing and escaping all user-supplied shortcode attributes (`unset`, `before`, `after`) using WordPress functions such as `wp_kses_post()` and `esc_html()`, preventing injection of malicious scripts.

If updating immediately is not possible, consider temporarily disabling the plugin or removing usage of the vulnerable shortcodes until the update can be applied.

Additionally, ensure that only trusted users have contributor-level or higher access to the WordPress site, as the vulnerability requires authenticated access at that level.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4389. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart