Simple Google Static Map <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2025-27334 | Plugin Vulnerabilities

Description

The Simple Google Static Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

simple-google-static-map

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/86b655a6-7d71-441a-8430-6e72aecb37d8

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Chu The Anh

Verified

No

WPVDB ID

7a6bf84d-a97c-4eda-8cca-044419e23ebc

Timeline

Publicly Published

2025-06-05 (about 10 months ago)

Added

2025-06-11 (about 9 months ago)

Last Updated

2025-06-11 (about 9 months ago)

Other

Published

Title

Published

2024-12-04

Title

Contact Form Builder < 4.10.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via livesite-pay Shortcode

Published

2026-01-13

Title

Gotham Block Extra Light < 1.6.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

Published

2023-02-02

Title

WP htpasswd <= 1.7 - Admin+ Stored XSS

Published

2025-10-21

Title

Responsive Progress Bar <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2026-01-05

Title

Grand Restaurant < 7.0.9 - Reflected Cross-Site Scripting