Impact
The CodePeople Post Map for Google Maps plugin is vulnerable to stored cross‑site scripting via the cpm_point post meta field. The flaw results from insufficient input sanitization and output escaping, allowing attackers who are authenticated with Contributor‑level access or higher to inject arbitrary JavaScript. When a user visits a page that contains the stored meta, the injected script runs in that user’s browser, which can be used to steal credentials, deface content, or perform other malicious client‑side actions.
Affected Systems
All WordPress sites that have installed the CodePeople Post Map for Google Maps plugin version 1.2.6 or earlier are affected. Sites that have upgraded to a newer release that includes the fix are not impacted. The attack requires that the attacker have a role of Contributor or higher within the WordPress installation.
Risk and Exploitability
The CVSS base score of 6.4 classifies the vulnerability as moderate. No EPSS score is available, and it is not included in the CISA KEV catalog, indicating that exploitation is currently limited. An attacker must first authenticate with at least Contributor-level permissions to embed malicious JavaScript via cpm_point; once stored, the payload is automatically executed whenever the affected page is loaded by any visitor.
OpenCVE Enrichment