CVE-2024-9028
Description
The WP GPX Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sgpx' shortcode in all versions up to, and including, 1.7.08 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in WP GPX Maps plugin via unsanitized shortcode attributes allows contributor-level users to inject arbitrary scripts.
Vulnerability
Overview The WP GPX Maps plugin for WordPress, up to version 1.7.08, contains a stored cross-site scripting (XSS) vulnerability in its '[sgpx]' shortcode. The plugin fails to properly sanitize user-supplied attributes and escape output, enabling attackers with contributor-level access or higher to inject arbitrary web scripts [1]. These scripts execute when other users access the affected page.
Exploitation
Prerequisites An attacker must have at least a WordPress contributor account to exploit this vulnerability. The attack is performed by injecting malicious JavaScript through the shortcode attributes when creating or editing a post or page containing the [sgpx] shortcode [1]. No additional authentication is needed from the victim; simply visiting the compromised page triggers the payload.
Impact
Successful exploitation allows an authenticated attacker to perform actions such as stealing session cookies, redirecting users to malicious sites, or defacing the WordPress site. Since the script is stored and executed in the context of the victim's browser, it can potentially lead to privilege escalation if an administrator views the page [1].
Mitigation
The vendor has addressed this issue in version 1.7.09 of the WP GPX Maps plugin [1]. Users are strongly advised to update to the latest version immediately. No workarounds are provided; removing or restricting contributor accounts may reduce risk but does not eliminate it.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- www.wordfence.com/threat-intel/vulnerabilities/id/872c8328-9089-4bc0-af17-f755524da610nvdThird Party Advisory
- plugins.trac.wordpress.org/browser/wp-gpx-maps/trunk/wp-gpx-maps-admin-tracks.phpnvdProduct
- plugins.trac.wordpress.org/browser/wp-gpx-maps/trunk/wp-gpx-maps.phpnvdProduct
- wordpress.org/plugins/wp-gpx-maps/nvdProduct
- plugins.trac.wordpress.org/changeset/3217023/nvd
News mentions
0No linked articles in our index yet.