CVE-2025-28858 is a reflected cross-site scripting vulnerability found in the Arrow Plugins Arrow Maps plugin, specifically within the ap-google-maps component. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows attackers to inject malicious JavaScript code that is reflected back to users. This vulnerability affects all versions up to and including 1.0.9. Reflected XSS attacks typically require an attacker to craft a malicious URL containing the payload and trick a victim into clicking it. Once executed in the victim's browser, the malicious script can perform actions such as stealing session cookies, capturing keystrokes, or redirecting users to phishing or malware sites. The vulnerability does not require authentication, increasing its risk profile, but does require user interaction to trigger. No CVSS score has been assigned yet, and no known exploits have been reported in the wild. The vulnerability was publicly disclosed on March 26, 2025, with the initial reservation on March 11, 2025. The absence of a patch link suggests that a fix may not yet be available, emphasizing the need for interim mitigations. Given the widespread use of WordPress plugins like Arrow Maps for embedding Google Maps functionality, this vulnerability could affect a broad range of websites globally.

The impact of CVE-2025-28858 is significant for organizations using the Arrow Maps plugin on their websites. Successful exploitation can lead to the execution of arbitrary scripts in the context of users' browsers, compromising confidentiality by stealing session tokens, personal data, or login credentials. Integrity can be affected if attackers manipulate displayed content or perform unauthorized actions on behalf of users. Availability impact is generally low for XSS, but indirect effects such as phishing or malware distribution could disrupt user trust and website reputation. Since the vulnerability is reflected XSS, it requires user interaction, which may limit mass exploitation but still poses a high risk for targeted attacks or phishing campaigns. The lack of authentication requirements broadens the attack surface, allowing external attackers to exploit the vulnerability without prior access. Organizations with high web traffic or sensitive user data are particularly at risk, as attackers could leverage this vulnerability to escalate further attacks or data breaches.

To mitigate CVE-2025-28858, organizations should first check for and apply any available patches or updates from Arrow Plugins as soon as they are released. In the absence of an official patch, implement strict input validation and output encoding on all user-supplied data reflected in web pages, particularly in the ap-google-maps component. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS payloads. Use web application firewalls (WAFs) with rules designed to detect and block reflected XSS attempts targeting the plugin. Educate users and administrators about the risks of clicking suspicious links and encourage the use of browser security features that can help mitigate XSS risks. Regularly audit and monitor web application logs for unusual activity indicative of exploitation attempts. Consider temporarily disabling the Arrow Maps plugin if the risk is deemed unacceptable until a patch is available. Finally, adopt a defense-in-depth approach by combining multiple layers of security controls to reduce the likelihood and impact of exploitation.