WordPress Plugin Vulnerabilities

WP Go Maps (formerly WP Google Maps) < 9.0.39 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Custom JS option in versions up to, and including, 9.0.38. This makes it possible for authenticated attackers that have been explicitly granted permissions by an administrator, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Version 9.0.39 adds a caution to make administrators aware of the possibility for abuse if permissions are granted to lower-level users.

Affects Plugins

Plugin icon
wp-google-maps
Fixed in 9.0.39

References

CVE
CVE-2024-5994
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/dd0597d2-07ba-4fb4-bf73-95770f8c3d6b

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Tim Coen
Verified
No
WPVDB ID
0e13ce95-d5a9-40f0-ab7e-ba82b407976c

Timeline

Publicly Published
2024-06-13 (about 1 year ago)
Added
2024-06-14 (about 1 year ago)
Last Updated
2024-06-14 (about 1 year ago)

Other

Published
Title
Published
2014-08-01
Title
HMS Testimonials 2.0.10 - XSS
Published
2025-03-31
Title
Media Library Assistant < 3.25 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2023-01-12
Title
Login with Phone Number < 1.4.2 - Reflected Cross-Site Scripting
Published
2024-08-16
Title
Child Theme Creator < 1.5.5 - Reflected Cross-Site Scripting
Published
2023-10-17
Title
Woo Custom Emails <= 2.2 - Reflected XSS