Description
Improper Restriction of XML External Entity Reference vulnerability in supsystic Easy Google Maps google-maps-easy allows XML Injection.This issue affects Easy Google Maps: from n/a through <= 1.11.18.
Published: 2025-04-04
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an Improper Restriction of XML External Entity Reference that lets an attacker inject arbitrary XML into the Easy Google Maps plugin. A crafted XML payload can cause the plugin to dereference external entities, exposing sensitive files, leaking system information, or potentially executing remote code if the XML processing allows it. This weakness aligns with CWE‑611.

Affected Systems

The issue affects WordPress sites running the Easy Google Maps plugin developed by supsystic in all releases up to and including version 1.11.18. Any WordPress installation that has installed this plugin within that version range is vulnerable.

Risk and Exploitability

The CVSS score of 6.6 classifies this as a medium‑severity vulnerability, and the EPSS score of less than 1 % indicates a very low but non‑zero probability of exploitation in the wild. Because the flaw is triggered by XML injection, the attack vector is likely through crafted input that reaches the plugin—such as a publicly exposed form or malicious content uploaded by a user. The absence from the KEV catalog means no publicly known exploits are documented, yet the potential for data exfiltration or remote code execution still warrants prompt remediation.

Generated by OpenCVE AI on May 1, 2026 at 00:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Easy Google Maps plugin to a version newer than 1.11.18; if the latest available version does not resolve the issue, upgrade to the latest release from supsystic.
  • Disable XML external entity support in the plugin’s XML parser or block external entity references in the application configuration to prevent XML injection.
  • Remove or replace the Easy Google Maps plugin if it is no longer required, and conduct a security review of all other WordPress components that parse XML to ensure similar protections are in place.

Generated by OpenCVE AI on May 1, 2026 at 00:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9876 Improper Restriction of XML External Entity Reference vulnerability in supsystic Easy Google Maps allows XML Injection. This issue affects Easy Google Maps: from n/a through 1.11.17.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Restriction of XML External Entity Reference vulnerability in supsystic Easy Google Maps allows XML Injection. This issue affects Easy Google Maps: from n/a through 1.11.17. Improper Restriction of XML External Entity Reference vulnerability in supsystic Easy Google Maps google-maps-easy allows XML Injection.This issue affects Easy Google Maps: from n/a through <= 1.11.18.
Title WordPress Easy Google Maps plugin <= 1.11.17 - XML External Entity vulnerability WordPress Easy Google Maps plugin <= 1.11.18 - XML External Entity vulnerability
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L'}

Fri, 04 Apr 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Restriction of XML External Entity Reference vulnerability in supsystic Easy Google Maps allows XML Injection. This issue affects Easy Google Maps: from n/a through 1.11.17.
Title WordPress Easy Google Maps plugin <= 1.11.17 - XML External Entity vulnerability
Weaknesses CWE-611
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L'}

Subscriptions

Supsystic Easy Google Maps
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:17.022Z

Reserved: 2025-04-04T10:00:42.738Z

Link: CVE-2025-32138

cve-icon Vulnrichment

Updated: 2025-04-04T19:54:44.399Z

cve-icon NVD

Status : Deferred

Published: 2025-04-04T16:15:22.060

Modified: 2026-04-23T15:28:37.643

Link: CVE-2025-32138

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T01:00:05Z

Weaknesses