cleantalk
Vulnerabilities and Security Researches

WP Go Maps (formerly WP Google Maps), CVE-2026-4268

CVE, Research URL

CVE-2026-4268

Home page URL

Security reports for WP Go Maps (formerly WP Google Maps)

Application

WP Go Maps (formerly WP Google Maps)

Published on
Mar 18, 2026
Research Description
The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpgmza_custom_js’ parameter in all versions up to, and including, 10.0.05 due to insufficient input sanitization and output escaping and missing capability check in the 'admin_post_wpgmza_save_settings' hook anonymous function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 10.0.06.
Status
vulnerable
Previous vulnerability researches
WP Google Maps Integration (CVE-2026-7464) , May 13, 2026
WP Go Maps (formerly WP Google Maps) (CVE-2025-11307) , Dec 10, 2025
WP Go Maps (formerly WP Google Maps) (CVE-2026-0593) , Apr 14, 2026
WP Go Maps (formerly WP Google Maps) (CVE-2026-4268) , Apr 14, 2026
WP Go Maps (formerly WP Google Maps) (CVE-2021-24383) , Jun 07, 2024
New vulnerability
Photo Gallery by 10Web – Mobile-Friendly Image Gallery (CVE-2026-9829) , Jun 07, 2026
Advanced Google reCAPTCHA (CVE-2026-5415) , Jun 07, 2026
Advanced Google reCAPTCHA (CVE-2026-5411) , Jun 07, 2026
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders (CVE-2026-7665) , Jun 07, 2026
Ad Inserter – Ad Manager & AdSense Ads (CVE-2026-9280) , Jun 06, 2026