WordPress Plugin Vulnerabilities

WP Google Map < 4.4.0 - Editor+ Stored XSS

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the Editor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
wp-google-map-plugin
Fixed in 4.4.0

References

CVE
CVE-2023-23878

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Rafshanzani Suhada
Verified
No
WPVDB ID
650ce1e3-0e52-4afd-b072-653030f2d240

Timeline

Publicly Published
2023-01-20 (about 3 years ago)
Added
2023-04-04 (about 3 years ago)
Last Updated
2023-04-04 (about 3 years ago)

Other

Published
Title
Published
2024-11-25
Title
Spotify Play Button for WordPress < 2.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via spotifyplaybutton Shortcode
Published
2021-08-24
Title
Recipe Card Blocks < 2.8.3 - Contributor+ Stored Cross-Site Scripting
Published
2014-08-01
Title
All-in-One Event Calendar 1.9 - wp-admin/post-new.php Multiple Parameter XSS
Published
2023-12-28
Title
Product Enquiry for WooCommerce < 3.1 - Admin+ Stored XSS
Published
2024-06-05
Title
PVN Auth Popup <= 1.0.0 - Admin+ Stored XSS