CVE-2023-6697

MEDIUM NUCLEI

Wpgmaps WP GO Maps < 9.0.28 - XSS

Title source: rule

Description

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the map id parameter in all versions up to, and including, 9.0.28 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Nuclei Templates (1)

WP Go Maps (formerly WP Google Maps) < 9.0.29 - Cross-Site Scripting

MEDIUMVERIFIEDby iamnoooob,ritikchaddha

FOFA: body="/wp-content/plugins/wp-google-maps"

References (2)

[Patch] https://plugins.trac.wordpress.org/changeset/3022232/wp-google-maps/trunk/html/atlas-novus/map-edit-page/map-edit-page.html.php

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/b3c3115b-8921-429d-b517-b946edab1cd5?source=cve

Scores

CVSS v3 6.1

EPSS 0.5417

EPSS Percentile 98.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

wpgmaps/wp_go_maps < 9.0.28

wpgmaps/WP Go Maps (formerly WP Google Maps) < 9.0.28

Published Jan 24, 2024

Tracked Since Feb 18, 2026