Wp Google Maps
by WordPress
Source repositories
CVEs (17)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-10692 | Cri | 0.73 | 9.8 | 0.79 | Apr 2, 2019 | In the wp-google-maps plugin before 7.11.18 for WordPress, includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement. | ||
| CVE-2025-11307 | Hig | 0.58 | 8.8 | 0.02 | Nov 11, 2025 | The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later retrieved from another AJAX call and output unescaped. | ||
| CVE-2015-9309 | Hig | 0.57 | 8.8 | 0.01 | Aug 14, 2019 | The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit category feature. | ||
| CVE-2015-9308 | Hig | 0.57 | 8.8 | 0.01 | Aug 14, 2019 | The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit map feature. | ||
| CVE-2015-9307 | Hig | 0.57 | 8.8 | 0.01 | Aug 14, 2019 | The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit location feature. | ||
| CVE-2024-2386 | Hig | 0.50 | 8.8 | 0.00 | Jun 29, 2024 | The WordPress Plugin for Google Maps – WP MAPS plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'put_wpgm' shortcode in all versions up to, and including, 4.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient… | ||
| CVE-2025-67535 | Med | 0.43 | 6.6 | 0.00 | Dec 9, 2025 | Deserialization of Untrusted Data vulnerability in Flipper Code - WordPress Development Company WP Maps wp-google-map-plugin allows Object Injection.This issue affects WP Maps: from n/a through <= 4.8.6. | ||
| CVE-2023-6627 | Med | 0.40 | 6.1 | 0.01 | Jan 8, 2024 | The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.28 does not properly protect most of its REST API routes, which attackers can abuse to store malicious HTML/Javascript on the site. | ||
| CVE-2016-10878 | Med | 0.40 | 6.1 | 0.01 | Aug 12, 2019 | The wp-google-map-plugin plugin before 3.1.2 for WordPress has XSS. | ||
| CVE-2015-9305 | Med | 0.40 | 6.1 | 0.01 | Aug 12, 2019 | The wp-google-map-plugin plugin before 2.3.7 for WordPress has XSS related to the add_query_arg() and remove_query_arg() functions. | ||
| CVE-2019-9912 | Med | 0.40 | 6.1 | 0.03 | Mar 22, 2019 | The wp-google-maps plugin before 7.10.43 for WordPress has XSS via the wp-admin/admin.php PATH_INFO. | ||
| CVE-2021-24383 | Med | 0.38 | 5.4 | 0.02 | Jun 21, 2021 | The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue | ||
| CVE-2021-36871 | Med | 0.36 | 5.5 | 0.01 | Sep 9, 2021 | Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities in WordPress WP Google Maps Pro premium plugin (versions <= 8.1.11). Vulnerable parameters: &wpgmaps_marker_category_name, Value > &attributes[], Name > &attributes[], &icons[], &names[], &description,… | ||
| CVE-2021-36870 | Med | 0.36 | 5.5 | 0.01 | Sep 9, 2021 | Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities in WordPress WP Google Maps plugin (versions <= 8.1.12). Vulnerable parameters: &dataset_name, &wpgmza_gdpr_retention_purpose, &wpgmza_gdpr_company_name, &name #2, &name, &polyname #2, &polyname,… | ||
| CVE-2019-14792 | Med | 0.35 | 5.4 | 0.01 | Aug 9, 2019 | The WP Google Maps plugin before 7.11.35 for WordPress allows XSS via the wp-admin/ rectangle_name or rectangle_opacity parameter. | ||
| CVE-2025-11166 | Med | 0.28 | 5.4 | 0.00 | Oct 9, 2025 | The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 9.0.46. This is due to the plugin exposing state-changing REST actions through an AJAX bridge without proper CSRF token… | ||
| CVE-2014-7182 | 0.00 | — | 0.02 | Oct 22, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in the WP Google Maps plugin before 6.0.27 for WordPress allow remote attackers to inject arbitrary web script or HTML via the poly_id parameter in an (1) edit_poly, (2) edit_polyline, or (3) edit_marker action in the… |
- risk 0.73cvss 9.8epss 0.79
In the wp-google-maps plugin before 7.11.18 for WordPress, includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement.
- risk 0.58cvss 8.8epss 0.02
The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later retrieved from another AJAX call and output unescaped.
- risk 0.57cvss 8.8epss 0.01
The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit category feature.
- risk 0.57cvss 8.8epss 0.01
The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit map feature.
- risk 0.57cvss 8.8epss 0.01
The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit location feature.
- risk 0.50cvss 8.8epss 0.00
The WordPress Plugin for Google Maps – WP MAPS plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'put_wpgm' shortcode in all versions up to, and including, 4.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient…
- risk 0.43cvss 6.6epss 0.00
Deserialization of Untrusted Data vulnerability in Flipper Code - WordPress Development Company WP Maps wp-google-map-plugin allows Object Injection.This issue affects WP Maps: from n/a through <= 4.8.6.
- risk 0.40cvss 6.1epss 0.01
The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.28 does not properly protect most of its REST API routes, which attackers can abuse to store malicious HTML/Javascript on the site.
- risk 0.40cvss 6.1epss 0.01
The wp-google-map-plugin plugin before 3.1.2 for WordPress has XSS.
- risk 0.40cvss 6.1epss 0.01
The wp-google-map-plugin plugin before 2.3.7 for WordPress has XSS related to the add_query_arg() and remove_query_arg() functions.
- risk 0.40cvss 6.1epss 0.03
The wp-google-maps plugin before 7.10.43 for WordPress has XSS via the wp-admin/admin.php PATH_INFO.
- risk 0.38cvss 5.4epss 0.02
The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue
- risk 0.36cvss 5.5epss 0.01
Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities in WordPress WP Google Maps Pro premium plugin (versions <= 8.1.11). Vulnerable parameters: &wpgmaps_marker_category_name, Value > &attributes[], Name > &attributes[], &icons[], &names[], &description,…
- risk 0.36cvss 5.5epss 0.01
Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities in WordPress WP Google Maps plugin (versions <= 8.1.12). Vulnerable parameters: &dataset_name, &wpgmza_gdpr_retention_purpose, &wpgmza_gdpr_company_name, &name #2, &name, &polyname #2, &polyname,…
- risk 0.35cvss 5.4epss 0.01
The WP Google Maps plugin before 7.11.35 for WordPress allows XSS via the wp-admin/ rectangle_name or rectangle_opacity parameter.
- risk 0.28cvss 5.4epss 0.00
The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 9.0.46. This is due to the plugin exposing state-changing REST actions through an AJAX bridge without proper CSRF token…
- CVE-2014-7182Oct 22, 2014risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in the WP Google Maps plugin before 6.0.27 for WordPress allow remote attackers to inject arbitrary web script or HTML via the poly_id parameter in an (1) edit_poly, (2) edit_polyline, or (3) edit_marker action in the…