{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4389", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-18T15:02:10.514Z", "datePublished": "2026-03-26T04:28:48.801Z", "dateUpdated": "2026-03-26T17:51:15.772Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-26T04:28:48.801Z"}, "affected": [{"vendor": "hupe13", "product": "DSGVO snippet for Leaflet Map and its Extensions", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "3.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The DSGVO snippet for Leaflet Map and its Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `leafext-cookie-time` and `leafext-delete-cookie` shortcodes in all versions up to, and including, 3.1. This is due to insufficient input sanitization and output escaping on user supplied attributes (`unset`, `before`, `after`). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "DSGVO snippet for Leaflet Map and its Extensions <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'unset' Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dfeaff92-165a-4006-8e52-a99ae6b68dd9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/dsgvo-leaflet-map/trunk/php/time-delete.php#L35"}, {"url": "https://plugins.trac.wordpress.org/browser/dsgvo-leaflet-map/tags/3.1/php/time-delete.php#L35"}, {"url": "https://plugins.trac.wordpress.org/browser/dsgvo-leaflet-map/tags/3.4"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3489426%40dsgvo-leaflet-map%2Ftrunk&old=3488424%40dsgvo-leaflet-map%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "timeline": [{"time": "2026-03-23T20:01:03.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-23T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4389", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T17:35:46.609539Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:51:15.772Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4389", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T17:35:46.609539Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:48:10.731Z"}}], "cna": {"title": "DSGVO snippet for Leaflet Map and its Extensions <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'unset' Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "hupe13", "product": "DSGVO snippet for Leaflet Map and its Extensions", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-23T20:01:03.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-23T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dfeaff92-165a-4006-8e52-a99ae6b68dd9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/dsgvo-leaflet-map/trunk/php/time-delete.php#L35"}, {"url": "https://plugins.trac.wordpress.org/browser/dsgvo-leaflet-map/tags/3.1/php/time-delete.php#L35"}, {"url": "https://plugins.trac.wordpress.org/browser/dsgvo-leaflet-map/tags/3.4"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3489426%40dsgvo-leaflet-map%2Ftrunk&old=3488424%40dsgvo-leaflet-map%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The DSGVO snippet for Leaflet Map and its Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `leafext-cookie-time` and `leafext-delete-cookie` shortcodes in all versions up to, and including, 3.1. This is due to insufficient input sanitization and output escaping on user supplied attributes (`unset`, `before`, `after`). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-26T04:28:48.801Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4389", "state": "PUBLISHED", "dateUpdated": "2026-03-26T17:51:15.772Z", "dateReserved": "2026-03-18T15:02:10.514Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-26T04:28:48.801Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The DSGVO snippet for Leaflet Map and its Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `leafext-cookie-time` and `leafext-delete-cookie` shortcodes in all versions up to, and including, 3.1. This is due to insufficient input sanitization and output escaping on user supplied attributes (`unset`, `before`, `after`). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-4389", "lastModified": "2026-03-26T05:16:40.667", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-26T05:16:40.667", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/dsgvo-leaflet-map/tags/3.1/php/time-delete.php#L35"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/dsgvo-leaflet-map/tags/3.4"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/dsgvo-leaflet-map/trunk/php/time-delete.php#L35"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3489426%40dsgvo-leaflet-map%2Ftrunk&old=3488424%40dsgvo-leaflet-map%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dfeaff92-165a-4006-8e52-a99ae6b68dd9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "DSGVO snippet for Leaflet Map and its Extensions", "source": "cna", "vendor": "hupe13"}, "product": "dsgvo_snippet_for_leaflet_map_and_its_extensions", "vendor": "hupe13"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T06:21:10.175859+00:00", "value": {"mitigation_remediation": ["Upgrade the DSGVO snippet for Leaflet Map and its Extensions plugin to version 3.4 or later", "Restrict contributor or lower roles from adding or editing content that may include the vulnerable shortcodes", "If an upgrade is not immediately possible, consider removing or disabling the leafext-cookie-time and leafext-delete-cookie shortcodes from sites", "Monitor site activity for signs of XSS or unauthorized script execution", "Validate and sanitize any user\u2011supplied content before rendering it to prevent similar issues"], "summary": {"action": "Immediate Update", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites running the DSGVO snippet for Leaflet Map and its Extensions plugin version 3.1 or earlier are affected. Users with contributor role or greater can exploit the flaw by creating or editing content that includes the vulnerable shortcodes.", "description_and_impact": "The vulnerability allows authenticated users with contributor or higher access to inject arbitrary JavaScript through the leafext-cookie-time and leafext-delete-cookie shortcodes by supplying unsafe values for the unset, before, and after attributes. The injected code is stored and executed whenever a page containing the affected shortcode is viewed, providing attackers the ability to steal cookies, hijack sessions, or perform other client\u2011side malicious actions.", "risk_and_exploitability": "The flaw carries a CVSS score of 6.4, indicating moderate severity. EPSS data is unavailable and the vulnerability is not listed in KEV, suggesting no confirmed public exploits. However, the attack requires authenticated access with contributor privileges and the ability to add or edit pages. Once injected, the malicious script runs in the browsers of all users who view the affected page, potentially compromising confidentiality and session integrity."}}}}, "created": "2026-03-26T11:30:32.636473+00:00", "updated": "2026-03-26T12:08:32.682935+00:00", "vendors": ["hupe13", "hupe13$PRODUCT$dsgvo_snippet_for_leaflet_map_and_its_extensions", "wordpress", "wordpress$PRODUCT$wordpress"]}