CVE-2019-19134
MEDIUM NUCLEIHero Maps Premium < 2.2.3 - Unauthenticated Stored Cross-Site Scripting via Dashboard Index p Parameter
Title source: llmExploitation Summary
CVE-2019-19134 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
The Hero Maps Premium plugin 2.2.1 and prior for WordPress is prone to unauthenticated XSS via the views/dashboard/index.php p parameter because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to inject HTML or arbitrary JavaScript within the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based tokens or to launch other attacks.
Nuclei Templates (1)
WordPress Hero Maps Premium <=2.2.1 - Cross-Site Scripting
MEDIUMby daffainfo
References (4)
Core 4
Core References
Product x_refsource_misc
https://heroplugins.com/product/maps/
Exploit, Third Party Advisory x_refsource_misc
https://www.hooperlabs.xyz/disclosures/cve-2019-19134.php
Release Notes, Vendor Advisory x_refsource_misc
https://heroplugins.com/changelogs/hmaps/changelog.txt
Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/10095
Scores
CVSS v3
6.1
EPSS
0.0565
EPSS Percentile
92.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
heroplugins/hero_maps_premium
< 2.2.3
Published
Feb 26, 2020
Tracked Since
Feb 18, 2026