{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4268", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-16T13:55:40.592Z", "datePublished": "2026-03-18T01:24:48.418Z", "dateUpdated": "2026-04-08T17:26:06.798Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:26:06.798Z"}, "affected": [{"vendor": "wpgmaps", "product": "WP Go Maps (formerly WP Google Maps)", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "10.0.05", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018wpgmza_custom_js\u2019 parameter in all versions up to, and including, 10.0.05 due to insufficient input sanitization and output escaping and missing capability check in the 'admin_post_wpgmza_save_settings' hook anonymous function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "WP Go Maps (formerly WP Google Maps) <= 10.0.05 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via admin_post_wpgmza_save_settings", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d5599101-a7bd-4aa7-91da-f11694bdc000?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-google-maps/tags/10.0.04/includes/class.settings-page.php#L145"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Hung Nguyen"}], "timeline": [{"time": "2026-03-16T14:19:24.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-17T13:24:29.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T14:07:08.887053Z", "id": "CVE-2026-4268", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T14:07:15.990Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4268", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T14:07:08.887053Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T14:07:12.759Z"}}], "cna": {"title": "WP Go Maps (formerly WP Google Maps) <= 10.0.05 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via admin_post_wpgmza_save_settings", "credits": [{"lang": "en", "type": "finder", "value": "Hung Nguyen"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "wpgmaps", "product": "WP Go Maps (formerly WP Google Maps)", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "10.0.05"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-16T14:19:24.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-17T13:24:29.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d5599101-a7bd-4aa7-91da-f11694bdc000?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-google-maps/tags/10.0.04/includes/class.settings-page.php#L145"}], "descriptions": [{"lang": "en", "value": "The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018wpgmza_custom_js\u2019 parameter in all versions up to, and including, 10.0.05 due to insufficient input sanitization and output escaping and missing capability check in the 'admin_post_wpgmza_save_settings' hook anonymous function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:26:06.798Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4268", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:26:06.798Z", "dateReserved": "2026-03-16T13:55:40.592Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-18T01:24:48.418Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018wpgmza_custom_js\u2019 parameter in all versions up to, and including, 10.0.05 due to insufficient input sanitization and output escaping and missing capability check in the 'admin_post_wpgmza_save_settings' hook anonymous function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin WP Go Maps (anteriormente WP Google Maps) para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del par\u00e1metro 'wpgmza_custom_js' en todas las versiones hasta e incluyendo la 10.0.05 debido a una sanitizaci\u00f3n de entrada y escape de salida insuficientes y la falta de verificaci\u00f3n de capacidad en la funci\u00f3n an\u00f3nima del hook 'admin_post_wpgmza_save_settings'. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-4268", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-18T02:16:25.047", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-google-maps/tags/10.0.04/includes/class.settings-page.php#L145"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d5599101-a7bd-4aa7-91da-f11694bdc000?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,10.0.05]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WP Go Maps (formerly WP Google Maps)", "source": "cna", "vendor": "wpgmaps"}, "product": "wp_go_maps_(formerly_wp_google_maps)", "vendor": "wpgmaps"}], "analysis": {"en": {"generated_at": "2026-03-18T03:24:36.770099+00:00", "value": {"mitigation_remediation": ["Apply the latest version of WP Go Maps (update to at least 10.0.06).", "If an immediate update is not possible, disable the wpgmza_custom_js feature or remove any custom JS that has been added.", "Restrict access to the plugin\u2019s settings page to administrators only, removing Subscriber-level permissions.", "Review and sanitize any existing custom JS code in the plugin\u2019s configuration.", "Monitor site logs for suspicious script injections or unusual user\u2011agent activity."], "summary": {"action": "Update Plugin", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The affected product is WP Go Maps (formerly WP Google Maps) for WordPress. All plugin versions up to and including 10.0.05 are vulnerable. No specific CPE strings are provided, but the plugin is used on WordPress sites; any site running a vulnerable version is at risk.", "description_and_impact": "Key detail from the description: the WP Go Maps plugin allows authenticated attackers with Subscriber-level access and above to inject arbitrary scripts via the wpgmza_custom_js parameter when the admin_post_wpgmza_save_settings hook is triggered. The injected scripts execute in any user\u2019s browser when they view a page that contains the malicious content. The impact is typical of stored XSS attacks, potentially enabling session hijacking, defacement, or delivery of malicious payloads. The weakness is categorized as CWE\u201179, due to insufficient input sanitization and output escaping.", "risk_and_exploitability": "The CVSS base score is 6.4, indicating medium severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only authenticated access at the Subscriber level or higher, because the plugin lacks a proper capability check. An attacker can navigate to the plugin\u2019s settings page, insert malicious script into the custom JS field, and submit the form, causing that script to be stored and served to all users who view the affected page. No public exploit has been observed, but the flaw is present in a widely used plugin."}}}}, "created": "2026-03-18T10:42:18.517021+00:00", "updated": "2026-03-24T10:53:48.122366+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpgmaps", "wpgmaps$PRODUCT$wp_go_maps_(formerly_wp_google_maps)"]}