CVE-2025-28858: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in Arrow Plugins Arrow Maps, affecting versions up to 1.0.9. The vulnerability was discovered by security researcher Abdi Pranata and was assigned CVE-2025-28858, with disclosure on March 26, 2025 (NVD, Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. This scoring indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction (NVD).

The vulnerability allows for Reflected Cross-Site Scripting attacks, which could potentially lead to unauthorized access to user data, session hijacking, or manipulation of web content. The CVSS scoring indicates low impacts on confidentiality, integrity, and availability, but the overall severity is rated as high due to the network accessibility and low attack complexity (NVD).

Users of Arrow Maps plugin versions 1.0.9 and below should upgrade to a patched version when available. In the meantime, website administrators should implement additional security controls such as Web Application Firewalls (WAF) to help mitigate potential XSS attacks (Patchstack).