Description
The WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'location_messages' parameter in all versions up to, and including, 4.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the attacker to hold the custom wpgmp_manage_location capability, which is granted to administrators by default but can be assigned to lower-privileged roles via the plugin's Permissions screen.
Published: 2026-06-06
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Maps – Google Maps, OpenStreetMap, Mapbox, Store Locator, Listing, Directory & Filters plugin contains a stored XSS flaw in the 'location_messages' parameter. Because the input is not properly sanitized or escaped, an attacker with administrative or higher privileges can inject JavaScript into the plugin’s data store. When a victim loads a page containing the injected message, the malicious script runs in the victim’s browser, potentially stealing session cookies, manipulating the UI, or executing further attacks.

Affected Systems

All installations of the WP Maps plugin up through version 4.9.4 running on WordPress are affected. The vulnerability applies to the version history of the plugin published on the WordPress plugin repository and the version released to the public, with no specific revisions listed beyond the overall upper bound of 4.9.4.

Risk and Exploitability

The CVSS score of 4.4 indicates moderate severity, but the necessity of administrative access limits the potential impact to sites where attackers can obtain or abuse elevated privileges. The EPSS score is not available, and the vulnerability is not catalogued in CISA’s KEV database. Based on the description, the attack vector is local to the WordPress environment: an authenticated user with the custom "wpgmp_manage_location" capability (typically admins or roles granted this capability via the plugin’s Permissions screen) can create or modify a location message to embed malicious script. Once stored, every visitor to the affected page will be exposed to the injected code.

Generated by OpenCVE AI on June 6, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Maps plugin to version 4.9.5 or later which contains the XSS fix
  • If an update is not immediately possible, revoke or limit the "wpgmp_manage_location" capability from all non‑administrator users to reduce the chance of exploitation
  • Apply additional input validation or sanitization to the 'location_messages' field using WordPress sanitization functions such as wp_filter_post_kses or esc_html before storing the data

Generated by OpenCVE AI on June 6, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 06 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
Description The WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'location_messages' parameter in all versions up to, and including, 4.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the attacker to hold the custom wpgmp_manage_location capability, which is granted to administrators by default but can be assigned to lower-privileged roles via the plugin's Permissions screen.
Title WP Maps <= 4.9.4 - Authenticated (Admin+) Stored Cross-Site Scripting via 'location_messages' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-06T11:42:08.069Z

Reserved: 2026-05-26T14:33:03.586Z

Link: CVE-2026-9594

cve-icon Vulnrichment

Updated: 2026-06-06T11:42:03.250Z

cve-icon NVD

Status : Received

Published: 2026-06-06T05:16:29.787

Modified: 2026-06-06T05:16:29.787

Link: CVE-2026-9594

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T06:30:14Z

Weaknesses