WP Go Maps <= 9.0.32 - Authenticated (Administrator+) Stored Cross-Site Scripting

Wordfence Intelligence > Vulnerability Database > WP Go Maps <= 9.0.32 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

CVE	CVE-2023-4839
CVSS	4.4 (Medium)
Publicly Published	March 12, 2024
Last Updated	March 13, 2024
Researchers	Marco Wotschka - Wordfence Akbar Kustirama - Codelatte

Description

The WP Go Maps for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 9.0.32 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Learn more about Cross-Site Scripting vulnerabilities and how to prevent them.

References

plugins.trac.wordpress.org

Vulnerability Details for WP Go Maps – Google Map, OpenStreetMap, Leaflet Map

WP Go Maps – Google Map, OpenStreetMap, Leaflet Map

Software Type	Plugin
Software Slug	wp-google-maps (view on wordpress.org)
Patched?	Yes
Remediation	Update to version 9.0.33, or a newer patched version
Affected Version	<= 9.0.32
Patched Version	9.0.33

Recent vulnerabilities in WP Go Maps – Google Map, OpenStreetMap, Leaflet Map

WP Go Maps < 10.0.10 - Unauthenticated Sensitive Information Disclosure via Datatables AJAX Fallback

5.3

CVE-2026-8385

Jun 5, 2026

Researcher: Sudhanshu Chauhan

WP Go Maps (formerly WP Google Maps) <= 10.0.05 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via admin_post_wpgmza_save_settings

6.4

CVE-2026-4268

Mar 17, 2026

Researcher: bashu

WP Go Maps (formerly WP Google Maps) <= 10.0.04 - Missing Authorization to Authenticated (Subscriber+) Map Engine Setting Modification

5.3

CVE-2026-0593

Jan 24, 2026

Researcher: Moose Love

Google Maps <= 9.0.47 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2025-11307

Oct 21, 2025

Researcher: sunghoon kim

WP Go Maps (formerly WP Google Maps) <= 9.0.48 - Unauthenticated Cache Poisoning

5.3

CVE-2025-11703

Oct 17, 2025

Researcher: Dmitrii Ignatyev

WP Go Maps (formerly WP Google Maps) <= 9.0.46 - Cross-Site Request Forgery to Plugin Settings Update

5.4

CVE-2025-11166

Oct 8, 2025

Researcher: Dmitrii Ignatyev

WP Go Maps <= 9.0.40 - Cross-Site Request Forgery

4.3

CVE-2025-24742

Jan 24, 2025

Researcher: Joshua Chan

WP Go Maps (formerly WP Google Maps) <= 9.0.38 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-5994

Jun 13, 2024

Researcher: Tim Coen

WP Go Maps (formerly WP Google Maps) <= 9.0.36 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2024-3557

May 23, 2024

Researcher: Thanh Nam Tran

WP Google Maps <= 9.0.29 - Reflected Cross-Site Scripting

6.1

CVE-2024-29931

Mar 25, 2024

Researcher: Rafie Muhammad

#	Title	CVE ID	CVSS	Researchers	Date
1	WP Go Maps < 10.0.10 - Unauthenticated Sensitive Information Disclosure via Datatables AJAX Fallback	CVE-2026-8385	5.3	Sudhanshu Chauhan	June 5, 2026
2	WP Go Maps (formerly WP Google Maps) <= 10.0.05 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via admin_post_wpgmza_save_settings	CVE-2026-4268	6.4	bashu	March 17, 2026
3	WP Go Maps (formerly WP Google Maps) <= 10.0.04 - Missing Authorization to Authenticated (Subscriber+) Map Engine Setting Modification	CVE-2026-0593	5.3	Moose Love	January 24, 2026
4	Google Maps <= 9.0.47 - Unauthenticated Stored Cross-Site Scripting	CVE-2025-11307	7.2	sunghoon kim	October 21, 2025
5	WP Go Maps (formerly WP Google Maps) <= 9.0.48 - Unauthenticated Cache Poisoning	CVE-2025-11703	5.3	Dmitrii Ignatyev	October 17, 2025
6	WP Go Maps (formerly WP Google Maps) <= 9.0.46 - Cross-Site Request Forgery to Plugin Settings Update	CVE-2025-11166	5.4	Dmitrii Ignatyev	October 8, 2025
7	WP Go Maps <= 9.0.40 - Cross-Site Request Forgery	CVE-2025-24742	4.3	Joshua Chan	January 24, 2025
8	WP Go Maps (formerly WP Google Maps) <= 9.0.38 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-5994	6.4	Tim Coen	June 13, 2024
9	WP Go Maps (formerly WP Google Maps) <= 9.0.36 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2024-3557	6.4	Thanh Nam Tran	May 23, 2024
10	WP Google Maps <= 9.0.29 - Reflected Cross-Site Scripting	CVE-2024-29931	6.1	Rafie Muhammad	March 25, 2024

View more vulnerabilities in this software package View more vulnerabilities

This record contains material that is subject to copyright.

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more.

License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more.

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation