Google Maps Easy < 1.10.1 – Admin+ Stored Cross-Site Scripting | CVE 2021-39346 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/modules/marker_groups/views/tpl/mgrEditMarkerGroup.php file which allowed attackers with administrative user access to inject arbitrary web scripts. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

Affects Plugins

google-maps-easy

Fixed in 1.10.1

References

CVE

URL

https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39346

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Thinkland Security Team

Verified

Yes

WPVDB ID

c25a2817-fba7-4607-ab55-637a04599be6

Timeline

Publicly Published

2021-11-01 (about 4 years ago)

Added

2021-11-01 (about 4 years ago)

Last Updated

2022-04-13 (about 4 years ago)

Other

Published

Title

Published

2024-06-22

Title

WP Affiliate Platform < 6.5.1 - Profile Update via CSRF

Published

2025-10-23

Title

Builderall Builder for WordPress <= 3.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-11-04

Title

WP Admin UI Customize < 1.5.13 - Admin+ Stored XSS

Published

2026-04-03

Title

Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem < 3.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'imageLoad'

Published

2025-04-01

Title

Webling < 3.9.1 - Authenticated (Administrator+) Stored Cross-Site Scripting