The WP Maps – Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'put_wpgm' shortcode in all versions up to, and including, 4.8.7. This vulnerability allows authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The root cause of this vulnerability is insufficient input sanitization and output escaping on user-supplied shortcode attributes.
With a CVSS score of 6.4, this vulnerability is classified as medium severity. The attack vector is network-based, which means exploitation can occur over a network without physical access. Attack complexity is low, requiring only low privileges, and there is no user interaction required for the attack to succeed. The impact on confidentiality and integrity is low, while availability is not affected.
Risk to organizations includes potential unauthorized access and data manipulation, which can lead to further attacks if exploited. Therefore, organizations should address this issue in their priority patch cycle to mitigate risks associated with this vulnerability.
As of now, there are no known public exploits or proof-of-concept available for this vulnerability. However, the status of this CVE is marked as deferred, indicating that it is not currently being actively exploited. Nevertheless, organizations should prioritize patching immediately to ensure the security of their applications.
Vulnerability Details
The vulnerability in the WP Maps plugin arises from insufficient input sanitization and output escaping on user-supplied shortcode attributes. The official CVE description states that this allows authenticated attackers to inject arbitrary web scripts in pages that execute on user access. The vulnerability is associated with CWE-79, which refers to improper neutralization of input during web page generation ('Cross-site Scripting').
The CVSS score of 6.4 indicates a medium severity level, which means organizations should be aware of the potential risks and take necessary actions. The affected versions are all prior to 4.8.8 of the WP Maps plugin, and the vulnerability was first published on April 16, 2026.
Technical Analysis
The root cause of this vulnerability is the lack of proper input sanitization and output escaping on user-supplied shortcode attributes. This oversight allows an attacker with contributor level access or higher to inject malicious scripts into the application. The attack vector is network-based, which means it can be exploited remotely, and the complexity of the attack is low, making it easy for an attacker to exploit the vulnerability.
The attack requires low privileges, meaning that even users with minimal access rights can potentially exploit this vulnerability. There is no user interaction required, making the attack straightforward and efficient. The impacts to confidentiality and integrity are considered low, indicating that sensitive information may be exposed or altered without immediate detection, while the availability of the system remains unaffected.
Risk & Impact Analysis
The real-world risk associated with this vulnerability is significant, especially for organizations utilizing the WP Maps plugin in their WordPress instances. Attackers may leverage this vulnerability to inject scripts, potentially leading to unauthorized access to user data or manipulation of site content. The blast radius of such an attack could extend beyond the individual site, impacting user trust and the overall reputation of the organization.
Given the CVSS score of 6.4, organizations should assess this vulnerability with medium urgency. The potential for exploitation exists, especially in environments where the plugin is widely used. Organizations should prioritize patching to mitigate risks and secure their applications.
Exploitation Status
Signal | Status |
|---|---|
Known Exploit | No |
Public PoC | No |
Actively Exploited | No |
Ransomware Use | No |
Affected Versions
All versions of the WP Maps plugin for WordPress prior to version 4.8.8 are affected by this vulnerability. Organizations should ensure that they update to the latest version to mitigate potential risks associated with this issue.
Mitigation & Remediation
Organizations should prioritize updating the WP Maps plugin to the latest version, 4.8.8 or higher, to address this vulnerability. Regularly scheduled vulnerability assessments and penetration testing can help identify and remediate such vulnerabilities before they are exploited. For ongoing security, organizations should consider engaging in penetration testing services to validate their security posture.
Detection Guidance
To detect potential exploitation of this vulnerability, organizations should monitor for the following indicators: unexpected changes to shortcode output, unusual user activity from authenticated users, and any injected scripts in the application logs. Implementing web application firewalls can also help in detecting and blocking malicious requests.
AppSecure Threat Intelligence Insight
The long-term significance of CVE-2025-13364 highlights the ongoing challenges with input validation and output escaping in web applications, particularly in widely-used plugins like WP Maps. Security teams should understand this vulnerability as part of a broader trend where inadequate security measures lead to increased risks in web applications.
Organizations should learn from vulnerabilities like this to reinforce their security practices. Implementing secure coding standards and regular code reviews can mitigate similar vulnerabilities in the future. For further insights on effective security measures, organizations can refer to resources on security testing best practices and ongoing training for development teams.
Additionally, engaging in penetration testing methodology will help identify vulnerabilities before they can be exploited.
Finally, organizations should keep abreast of emerging threats by following threat intelligence resources, which can provide valuable insights into evolving attack patterns and trends.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)