CVE-2026-4268 WP Go Maps (formerly WP Google Maps) <= 10.0.05 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via admin_post_wpgmza_save_settings

🗓️ 18 Mar 2026 01:24:48Reported by WordfenceType

Stored script injection in WP Go Maps via wpgmza_custom_js; missing capability check.

Reporter	Title	Published	Views	Family All 10
ATTACKERKB	CVE-2026-4268	18 Mar 202601:24	–	attackerkb
CNNVD	WordPress plugin WP Go Maps 跨站脚本漏洞	18 Mar 202600:00	–	cnnvd
CVE	CVE-2026-4268	18 Mar 202601:24	–	cve
EUVD	EUVD-2026-12742	18 Mar 202603:32	–	euvd
NVD	CVE-2026-4268	18 Mar 202602:16	–	nvd
Patchstack	WordPress WP Go Maps (formerly WP Google Maps) plugin <= 10.0.05 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via admin_post_wpgmza_save_settings vulnerability	18 Mar 202606:41	–	patchstack
Positive Technologies	PT-2026-26022	18 Mar 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-4268	26 Mar 202615:07	–	redhatcve
Vulnrichment	CVE-2026-4268 WP Go Maps (formerly WP Google Maps) <= 10.0.05 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via admin_post_wpgmza_save_settings	18 Mar 202601:24	–	vulnrichment
Wordfence Blog	Wordfence Intelligence Weekly WordPress Vulnerability Report (March 16, 2026 to March 22, 2026)	27 Mar 202621:11	–	wordfence

[
  {
    "vendor": "wpgmaps",
    "product": "WP Go Maps (formerly WP Google Maps)",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "10.0.05",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
wordfence	www.wordfence.com/threat-intel/vulnerabilities/id/d5599101-a7bd-4aa7-91da-f11694bdc000
plugins	www.plugins.trac.wordpress.org/browser/wp-google-maps/tags/10.0.04/includes/class.settings-page.php

08 Apr 2026 17:26Current

CVSS 3.16.4

EPSS0.00043

CWE-79

wp go maps stored script injection missing capability admin post hook wpgmza custom js