24 matches found
CVE-2026-9594
The WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'locationmessages' parameter in all versions up to, and including, 4.9.4 due to insufficient input sanitization and output escaping...
WordPress plugin WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters 跨站脚本漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...
CVE-2026-6381
The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perform Local File Inclusion attacks...
CVE-2026-3222 WP Maps <= 4.9.1 - Unauthenticated SQL Injection via 'location_id' Parameter
The WP Maps plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'locationid' parameter in all versions up to, and including, 4.9.1. This is due to the plugin's database abstraction layer FlipperCodeModelBase::iscolumn treating user input wrapped in backticks as column...
CVE-2026-3222
The WP Maps plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'locationid' parameter in all versions up to, and including, 4.9.1. This is due to the plugin's database abstraction layer FlipperCodeModelBase::iscolumn treating user input wrapped in backticks as column...
CVE-2025-12062
The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8.6 via the fcloadtemplate function. This makes it possible for authenticated attackers, with Subscriber-leve...
CVE-2025-12062
The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8.6 via the fcloadtemplate function. This makes it possible for authenticated attackers, with Subscriber-leve...
CVE-2025-12062
The WP Maps – Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion up to and including version 4.8.6 via the fc_load_template function. This allows authenticated attackers with Subscriber-level access and above ...
CVE-2025-67535 WordPress WP Maps plugin <= 4.8.6 - PHP Object Injection vulnerability
Deserialization of Untrusted Data vulnerability in Flipper Code - WordPress Development Company WP Maps wp-google-map-plugin allows Object Injection.This issue affects WP Maps: from n/a through = 4.8.6...
CVE-2025-3502
The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2025-3503
The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2025-3504
The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2025-3504
The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2025-3502
The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2025-3504 WP Maps < 4.7.2 - Admin+ Stored XSS
The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2025-3504 WP Maps < 4.7.2 - Admin+ Stored XSS
The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2025-3504
CVE-2025-3504 affects the WP Maps WordPress plugin prior to 4.7.2. The issue is that map settings aren’t properly sanitized/escaped, enabling stored XSS by high-privilege users (e.g., admins) even when unfiltered_html is disallowed (e.g., multisite). Remediation: upgrade to WP Maps 4.7.2 or later...
CVE-2025-3503
CVE-2025-3503 affects the WP Maps WordPress plugin prior to version 4.7.2. The vulnerability arises because some Map settings are not properly sanitized/escaped, enabling Stored XSS by high-privilege users (e.g., admins), even when unfiltered_html is disallowed (such as in multisite). Public expl...
CVE-2025-3503 WP Maps < 4.7.2 - Admin+ Stored XSS
The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2025-3502 WP Maps < 4.7.2 - Admin+ Stored XSS
The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...