CVE-2025-28858
Published: 26 March 2025
Summary
CVE-2025-28858 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-28858 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Reflected Cross-Site Scripting (XSS) as classified under CWE-79, in the Arrow Maps (ap-google-maps) WordPress plugin developed by Arrow Plugins. This flaw affects all versions of the plugin from n/a through 1.0.9. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), reflecting its high severity due to network accessibility, low attack complexity, lack of required privileges, user interaction dependency, and changed scope.
Remote attackers without privileges can exploit this vulnerability by crafting malicious inputs or links that are reflected unsanitized in the plugin's web page generation. Exploitation requires tricking a user, such as a site visitor or administrator, into interacting with the payload (e.g., clicking a link). Successful attacks execute arbitrary JavaScript in the victim's browser context, potentially compromising session data, with low impacts on confidentiality, integrity, and availability but amplified by the scope change to other users or resources.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/ap-google-maps/vulnerability/wordpress-arrow-maps-plugin-1-0-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve documents the Reflected XSS issue specifically in Arrow Maps plugin version 1.0.9, providing details for WordPress security practitioners on the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8158
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arrow Plugins Arrow Maps ap-google-maps allows Reflected XSS.This issue affects Arrow Maps: from n/a through <= 1.0.9.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin enables exploitation of public-facing apps (T1190), arbitrary JavaScript execution (T1059.007), and user execution via malicious links (T1204.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents reflected XSS by filtering and encoding user inputs prior to output in web pages generated by the plugin.
Enforces validation of all inputs to the WordPress plugin, neutralizing malicious scripts before they are reflected in page generation.
Requires timely remediation of the specific flaw in Arrow Maps plugin versions through n/a to 1.0.9 by applying patches or updates.