Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total6
Critical0
High0
Medium6
Reset
Showing 1-6 of 6 records
Threat Entry Updated 2026-03-18

CVE-2026-4268 - Wp Google Maps Plugin

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpgmza_custom_js’ parameter in all versions up to, and including, 10.0.05 due to insufficient input sanitization and output escaping and missing capability check in the 'admin_post_wpgmza_save_settings' hook anonymous function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Google Maps

CVE-2026-4268

MEDIUM CVSS 6.4 2026-03-18
Open Full Technical Breakdown
Threat Entry Updated 2025-10-09

CVE-2025-11166 - Wp Google Maps Plugin

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 9.0.46. This is due to the plugin exposing state-changing REST actions through an AJAX bridge without proper CSRF token validation, and having destructive logic reachable via GET requests with no permission_callback. This makes it possible for unauthenticated attackers to force logged-in administrators to create, update, or delete markers and geometry features via CSRF attacks, and allows anonymous users to trigger mass deletion of markers via…

PLUGIN Wp Google Maps

CVE-2025-11166

MEDIUM CVSS 5.4 2025-10-09
Open Full Technical Breakdown
Threat Entry Updated 2025-02-11

CVE-2024-5994 - Wp Google Maps Plugin

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Custom JS option in versions up to, and including, 9.0.38. This makes it possible for authenticated attackers that have been explicitly granted permissions by an administrator, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Version 9.0.39 adds a caution to make administrators aware of the possibility for abuse if permissions are granted to lower-level users.

PLUGIN Wp Google Maps

CVE-2024-5994

MEDIUM CVSS 6.4 2024-06-14
Open Full Technical Breakdown
Threat Entry Updated 2025-02-11

CVE-2024-3557 - Wp Google Maps Plugin

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpgmza shortcode in all versions up to, and including, 9.0.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Google Maps

CVE-2024-3557

MEDIUM CVSS 6.4 2024-05-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24383 - Wp Google Maps Plugin

The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue

PLUGIN Wp Google Maps

CVE-2021-24383

MEDIUM CVSS 5.4 2021-06-21
Open Full Technical Breakdown
Scroll to top