cleantalk
Vulnerabilities and Security Researches

WordPress Plugin for Google Maps – WP MAPS, CVE-2025-13364

CVE, Research URL

CVE-2025-13364

Home page URL

Security reports for WordPress Plugin for Google Maps – WP MAPS

Application

WordPress Plugin for Google Maps – WP MAPS

Published on
Apr 16, 2026
Research Description
The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'put_wpgm' shortcode in all versions up to, and including, 4.8.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 4.8.8.
Status
vulnerable
Previous vulnerability researches
WP Responsive Images (CVE-2026-1557) , Apr 15, 2026
New vulnerability
WP YouTube Lyte (CVE-2026-3299) , Apr 16, 2026
WordPress Plugin for Google Maps – WP MAPS (CVE-2025-13364) , Apr 16, 2026
WordPress Plugin for Google Maps – WP MAPS (CVE-2026-39492) , Apr 16, 2026
Tutor LMS – eLearning and online course solution (CVE-2026-0548) , Apr 16, 2026
Tutor LMS – eLearning and online course solution (CVE-2026-40740) , Apr 16, 2026