{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39646", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:48.107Z", "datePublished": "2026-04-08T08:30:32.949Z", "dateUpdated": "2026-04-08T08:30:32.949Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "leaflet-map", "product": "Leaflet Map", "vendor": "bozdoz", "versions": [{"lessThanOrEqual": "3.4.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jitlada | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:37.885Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bozdoz Leaflet Map leaflet-map allows Stored XSS.<p>This issue affects Leaflet Map: from n/a through <= 3.4.4.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bozdoz Leaflet Map leaflet-map allows Stored XSS.This issue affects Leaflet Map: from n/a through <= 3.4.4."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:32.949Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/leaflet-map/vulnerability/wordpress-leaflet-map-plugin-3-4-4-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress Leaflet Map plugin <= 3.4.4 - Cross Site Scripting (XSS) vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bozdoz Leaflet Map leaflet-map allows Stored XSS.This issue affects Leaflet Map: from n/a through <= 3.4.4."}], "id": "CVE-2026-39646", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:35.483", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/leaflet-map/vulnerability/wordpress-leaflet-map-plugin-3-4-4-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.4.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Leaflet Map", "source": "cna", "vendor": "bozdoz"}, "product": "leaflet_map", "vendor": "bozdoz"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:07:19.263798+00:00", "value": {"mitigation_remediation": ["Apply the latest Leaflet Map plugin update (v3.4.5 or newer).", "If an update is unavailable or delayed, disable the Leaflet Map plugin until a patch is released.", "Review and patch any existing XSS proof\u2011of\u2011concept content that might have been injected.", "Regularly monitor the plugin\u2019s security advisories and maintain a patch schedule for WordPress plugins."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting (XSS) allowing arbitrary script execution in vulnerable browsers"}, "threat_synthesis": {"affected_systems": "The Leaflet Map plugin released by bozdoz for WordPress is affected for all versions from beta through 3.4.4. Users of these versions should verify whether the plugin is installed and determine which version is in use.", "description_and_impact": "This vulnerability arises from improper neutralization of input during web page generation in the Leaflet Map plugin. The flaw permits malicious JavaScript to be stored and subsequently served to any user visiting a page that renders the injected content. Attackers could steal session cookies, deface sites, or redirect users to phishing sites, thereby compromising confidentiality, integrity, and user trust. The weakness falls under CWE\u201179 \u2013 Improper Neutralization of Input During Web Page Generation.", "risk_and_exploitability": "The CVSS score is not provided, but a stored XSS can be exploited by anyone capable of submitting data to the plugin\u2019s input interface. The EPSS score is unavailable and the issue is not listed in the CISA KEV catalog, suggesting no widely known exploitation at this time. However, the potential impact remains high for sites that use the plugin, especially if users of the plugin include administrators or other privileged accounts. The likely attack vector is through normal user input or content creation within the plugin\u2019s interface, a path that does not require privileged access."}}}}, "created": "2026-04-08T19:28:25.127109+00:00", "updated": "2026-04-08T19:41:29.842804+00:00", "vendors": ["bozdoz", "bozdoz$PRODUCT$leaflet_map", "wordpress", "wordpress$PRODUCT$wordpress"]}