CVE Catalog

CVE-2026-9594

MediumCVSS 4.4
Published: Updated: Translated: NVD NIST

Summary

The WP Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'location_messages' parameter in all versions up to and including 4.9.4 due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrator-level access to inject arbitrary web scripts into pages.

Risk Assessment

Attackers can exploit this vulnerability to inject malicious code, potentially leading to user data theft or session hijacking. The risk increases when attackers have permissions to manage locations.

Recommendation

It is recommended to update the WP Maps plugin to the latest version to mitigate this vulnerability. Access to the 'wpgmp_manage_location' capability should also be restricted to trusted administrators.

Original NVD description (English source)

The WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'location_messages' parameter in all versions up to, and including, 4.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the attacker to hold the custom wpgmp_manage_location capability, which is granted to administrators by default but can be assigned to lower-privileged roles via the plugin's Permissions screen.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS