CVE-2026-9594
Description
The WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'location_messages' parameter in all versions up to, and including, 4.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the attacker to hold the custom wpgmp_manage_location capability, which is granted to administrators by default but can be assigned to lower-privileged roles via the plugin's Permissions screen.
Affected products
2- Range: <=4.9.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The plugin fails to properly sanitize user-supplied input in the 'location_messages' parameter before storing it, leading to Stored Cross-Site Scripting."
Attack vector
An authenticated attacker with administrator-level access or the 'wpgmp_manage_location' capability can inject arbitrary web scripts into the 'location_messages' parameter. These scripts are stored by the plugin and will execute when a user views a page that displays the injected content. The vulnerability is triggered via a POST request to the plugin's save functionality.
Affected code
The vulnerability resides in the `write_to_db` and `write_to_db_backup` methods within the `WP_Google_Maps_Lite` class, specifically where the `location_messages` parameter is processed and saved to the database. The `fetch` method also shows how `location_messages` is decoded and potentially used, but the vulnerability lies in the saving process.
What the fix does
The patch addresses the vulnerability by ensuring that the 'location_messages' parameter is properly sanitized using `wp_kses_post` before being saved to the database. This function removes or sanitizes potentially harmful HTML and script tags, preventing the injection of malicious code and thus mitigating the Stored Cross-Site Scripting vulnerability.
Preconditions
- authThe attacker must have administrator-level access or the 'wpgmp_manage_location' capability.
- inputThe attacker must be able to submit a POST request containing malicious script in the 'location_messages' parameter.
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- plugins.trac.wordpress.org/browser/wp-google-map-plugin/tags/4.9.2/modules/location/model.location.phpnvd
- plugins.trac.wordpress.org/browser/wp-google-map-plugin/tags/4.9.2/modules/shortcode/views/put-wpgmp.phpnvd
- plugins.trac.wordpress.org/browser/wp-google-map-plugin/trunk/modules/location/model.location.phpnvd
- plugins.trac.wordpress.org/browser/wp-google-map-plugin/trunk/modules/shortcode/views/put-wpgmp.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/d082c6e6-a18a-44e2-9478-7189f9777198nvd
News mentions
0No linked articles in our index yet.