Description
The CodePeople Post Map for Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'cpm_point' Post Meta in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-06-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CodePeople Post Map for Google Maps plugin is vulnerable to stored cross‑site scripting via the cpm_point post meta field. The flaw results from insufficient input sanitization and output escaping, allowing attackers who are authenticated with Contributor‑level access or higher to inject arbitrary JavaScript. When a user visits a page that contains the stored meta, the injected script runs in that user’s browser, which can be used to steal credentials, deface content, or perform other malicious client‑side actions.

Affected Systems

All WordPress sites that have installed the CodePeople Post Map for Google Maps plugin version 1.2.6 or earlier are affected. Sites that have upgraded to a newer release that includes the fix are not impacted. The attack requires that the attacker have a role of Contributor or higher within the WordPress installation.

Risk and Exploitability

The CVSS base score of 6.4 classifies the vulnerability as moderate. No EPSS score is available, and it is not included in the CISA KEV catalog, indicating that exploitation is currently limited. An attacker must first authenticate with at least Contributor-level permissions to embed malicious JavaScript via cpm_point; once stored, the payload is automatically executed whenever the affected page is loaded by any visitor.

Generated by OpenCVE AI on June 27, 2026 at 04:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CodePeople Post Map for Google Maps plugin to a version that contains the XSS fix.
  • Restrict Contributor or higher role users from editing post meta that includes the cpm_point field, or disable the feature that writes this meta data.
  • As an interim manual fix, edit the plugin’s functions.php file to sanitize or escape the cpm_point meta value before rendering, for example by applying esc_textarea() or wp_kses().

Generated by OpenCVE AI on June 27, 2026 at 04:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Codepeople
Codepeople codepeople Post Map For Google Maps
Wordpress
Wordpress wordpress
Vendors & Products Codepeople
Codepeople codepeople Post Map For Google Maps
Wordpress
Wordpress wordpress

Mon, 29 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 27 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Description The CodePeople Post Map for Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'cpm_point' Post Meta in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title CodePeople Post Map for Google Maps <= 1.2.6 - Authenticated (Contributor +) Stored Cross-Site Scripting via 'cpm_point' Post Meta
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

Codepeople Codepeople Post Map For Google Maps
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-29T14:54:22.340Z

Reserved: 2026-06-25T13:44:42.067Z

Link: CVE-2026-13335

cve-icon Vulnrichment

Updated: 2026-06-29T14:48:11.415Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T20:05:59Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')