Description
The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'put_wpgm' shortcode in all versions up to, and including, 4.8.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-16
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting allows injected scripts to run in any browser that loads affected pages, potentially leaking credentials, tampering with content, or executing additional actions on behalf of the user
Action: Patch Now
AI Analysis

Impact

A stored cross‑site scripting flaw in the WP Maps plugin enables an authenticated contributor or higher to inject arbitrary JavaScript into the shortcode attributes of the 'put_wpgm' tag. Once injected, the script executes automatically for every visitor who views the affected page, exposing the site to session hijacking, defacement, or malicious redirects. The vulnerability stems from a lack of input sanitization and output escaping.

Affected Systems

WordPress sites that have the WP Maps – Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory & Filters plugin installed in any version up to and including 4.8.7 are impacted. Any user who can add or edit content with contributor‑level access on these sites can exploit the flaw, and all users who subsequently view the compromised page are at risk.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, but the flaw is exploitable by authenticated users and can affect all visitors to the site, making it a high‑impact issue for exposed audiences. The EPSS score is not available and the vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires the attacker to supply malicious data via the plugin’s shortcode, and the attack surface is limited to users who load the affected content. However, because the injected script executes in the context of the website, the potential consequences span confidentiality, integrity, and availability.

Generated by OpenCVE AI on April 16, 2026 at 08:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest plugin version (4.8.8 or newer) to remove the vulnerable shortcode input handling.
  • Delete or cleanse any existing content that contains the 'put_wpgm' shortcode with malicious attributes.
  • If immediate upgrade is not possible, revoke or restrict contributor‑level access for untrusted users and disable the shortcode parsing for that role.
  • Implement additional output sanitization for shortcode attributes as a temporary measure by editing the plugin code or using a security plugin that escapes content.

Generated by OpenCVE AI on April 16, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Flippercode
Flippercode google Map
Flippercode wp Maps – Store Locator,google Maps,openstreetmap,mapbox,listing,directory & Filters
Wordpress
Wordpress wordpress
Vendors & Products Flippercode
Flippercode google Map
Flippercode wp Maps – Store Locator,google Maps,openstreetmap,mapbox,listing,directory & Filters
Wordpress
Wordpress wordpress

Thu, 16 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'put_wpgm' shortcode in all versions up to, and including, 4.8.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters <= 4.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'put_wpgm' Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Flippercode Google Map Wp Maps – Store Locator,google Maps,openstreetmap,mapbox,listing,directory & Filters
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-16T12:04:16.719Z

Reserved: 2025-11-18T16:57:46.868Z

Link: CVE-2025-13364

cve-icon Vulnrichment

Updated: 2026-04-16T11:11:46.824Z

cve-icon NVD

Status : Received

Published: 2026-04-16T07:16:28.550

Modified: 2026-04-16T07:16:28.550

Link: CVE-2025-13364

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:30:05Z

Weaknesses