WordPress Plugin Vulnerabilities

Easy Google Maps < 1.11.19 - Author+ XML Entity Injection

Description

The plugin is vulnerable to XML External Entity Injection due to the plugin not properly filtering data included in XML. This makes it possible for authenticated attackers, with author-level access and above, to inject external entities which can make code execution possible.

Affects Plugins

Plugin icon
google-maps-easy
Fixed in 1.11.19

References

CVE
CVE-2025-32138
URL
https://patchstack.com/database/wordpress/plugin/google-maps-easy/vulnerability/wordpress-easy-google-maps-plugin-1-11-17-xml-external-entity-vulnerability

Classification

Type
XXE
OWASP top 10
A4: XML External Entities (XXE)
CWE
CWE-611
CVSS
4.7 (medium)

Miscellaneous

Original Researcher
minhtuanact
Verified
No
WPVDB ID
8e81e119-3351-4e26-ba07-b331afddf0c6

Timeline

Publicly Published
2025-04-04 (about 10 months ago)
Added
2025-04-10 (about 10 months ago)
Last Updated
2025-05-27 (about 9 months ago)

Other

Published
Title
Published
2024-10-24
Title
Royal Elementor Addons < 1.3.981 - Authenticated (Author+) External Entity Injection
Published
2026-01-16
Title
Demo Importer Plus < 2.0.10 - Authenticated (Author+) Blind XML External Entity Injection via SVG File Upload
Published
2013-06-21
Title
WordPress 3.5-3.5.1 oEmbed Unspecified XML External Entity (XXE)
Published
2021-04-15
Title
WordPress 5.6-5.7 - Authenticated XXE Within the Media Library Affecting PHP 8
Published
2017-11-14
Title
TablePress <= 1.8 - Authenticated XML External Entity (XXE)