CVE-2026-9594: WP Maps Plugin Stored XSS Vulnerability (Versions ≤4.9.4)
The WP Maps plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting versions up to 4.9.4. An attacker with administrator access or a custom role granted the wpgmp_manage_location capability can inject malicious scripts into location messages. These scripts execute whenever site visitors access pages containing the injected content, potentially compromising user sessions, stealing credentials, or redirecting visitors to malicious sites. The vulnerability requires authenticated access and administrative privileges, limiting its immediate risk but making it a concern for organizations with admin account security gaps or custom role configurations.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.4 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-06 / 2026-06-17
NVD description (verbatim)
The WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'location_messages' parameter in all versions up to, and including, 4.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the attacker to hold the custom wpgmp_manage_location capability, which is granted to administrators by default but can be assigned to lower-privileged roles via the plugin's Permissions screen.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9594 is a Stored XSS vulnerability (CWE-79) in the WP Maps plugin arising from insufficient sanitization of the 'location_messages' parameter and inadequate output escaping. The vulnerability is exploitable by authenticated users with the wpgmp_manage_location capability—a permission granted to administrators by default but configurable through the plugin's Permissions screen. When a malicious actor with these privileges submits crafted input through location message fields, the unsanitized payload persists in the database and executes in the browser context of subsequent site visitors. The CVSS v3.1 score of 4.4 (MEDIUM) reflects the high privilege barrier (PR:H) required for exploitation, though the impact spans multiple sessions and user contexts (S:C).
Business impact
A successful exploitation could damage your organization's reputation by serving malicious content to your website visitors without their knowledge. Depending on the injected payload, attackers could harvest visitor credentials, capture form submissions, redirect users to phishing sites, or distribute malware. The stored nature of the attack means the compromise persists until the malicious content is discovered and removed, amplifying exposure across your user base. For organizations relying on the plugin for location-based services or store locators, this vulnerability also creates liability concerns if customer data is compromised through an attack leveraging your own website.
Affected systems
WordPress installations running the WP Maps plugin in versions 4.9.4 and earlier are affected. The attack surface is limited to accounts holding administrator status or custom roles explicitly assigned the wpgmp_manage_location capability. Organizations using the plugin's Permissions screen to grant location management to non-administrator users expand their risk profile, as any such user becomes a potential attack vector.
Exploitability
This vulnerability requires authentication and administrator-level privileges or equivalent custom capability assignment. An attacker must already have inside access to the WordPress admin interface—either through compromised credentials, insider threat, or intentional privilege delegation. No unauthenticated exploitation is possible. The attack does not require user interaction (UI:N in the CVSS vector) once the malicious payload is injected; the XSS executes automatically when visitors access affected pages. While the barrier to exploitation is high, organizations with weak admin credential hygiene, password reuse, or overly permissive custom role assignments face elevated risk.
Remediation
Update the WP Maps plugin to the patched version released after 4.9.4 (verify the exact version number against the official plugin repository or the vendor's advisory). The patch should address both input sanitization of the location_messages parameter and output escaping to prevent script injection. After patching, audit any users or custom roles that have been assigned the wpgmp_manage_location capability and remove this permission from accounts that do not require it. Review the plugin's Permissions screen and restrict location management duties to verified, trusted administrators with strong credential hygiene.
Patch guidance
Verify the latest patched version of the WP Maps plugin against the official WordPress.org plugin repository or the developer's security advisory. Update through the WordPress admin dashboard (Plugins > Updates) or manually download and deploy the patched version. Before updating, take a backup of your WordPress database and files. After patching, clear any caching layers and verify that location message fields render correctly across your site's frontend. Test with a non-administrator account to confirm that the plugin's Permissions screen functions as intended and that privilege escalation is not possible.
Detection guidance
Search your WordPress database for suspicious script tags, JavaScript event handlers (onclick, onerror, onload), or encoded payloads within the location_messages field of your maps plugin tables. Review WordPress admin logs and audit trails for any changes to location data made by administrator accounts during periods when you cannot verify legitimate activity. Monitor network traffic for external calls or data exfiltration originating from pages displaying location information. If available, use security plugins (such as Wordfence or Sucuri) to scan for stored XSS patterns in the database. Inspect page source code of pages displaying maps and locations for unexpected scripts between your content and closing tags.
Why prioritize this
Although rated MEDIUM severity due to high authentication barriers, this vulnerability warrants prompt attention because stored XSS poses ongoing risk to your entire visitor base once injected. The attack surface includes any user to whom you've delegated location management, potentially widening the attacker pool beyond just administrators. Organizations handling sensitive customer data via their website (e-commerce, directory services, booking systems) should prioritize patching to avoid reputational and compliance damage. The stored nature also means the vulnerability compounds over time if unaddressed.
Risk score, explained
The CVSS score of 4.4 reflects the requirement for high privilege (administrator or equivalent custom capability) to exploit the vulnerability (PR:H) and the complexity of establishing the attack environment (AC:H). However, the impact is not negligible: the vulnerability affects the confidentiality and integrity of all users accessing injected content across all scopes (S:C, C:L, I:L). The lack of availability impact (A:N) prevents a higher score. Organizations should not interpret a MEDIUM score as low-priority; stored XSS can have severe business consequences if wielded against a high-traffic or sensitive site, and the persistence of the attack justifies rapid remediation.
Frequently asked questions
Can a non-administrator user exploit this vulnerability?
Only if you have explicitly granted them the wpgmp_manage_location capability through the plugin's Permissions screen. By default, this capability is reserved for administrators. Audit your custom role assignments to ensure no unnecessary delegation has occurred.
Does updating the plugin remove malicious scripts already injected into the database?
No. Patching the plugin prevents new injections but does not clean existing malicious payloads from your database. After patching, you must manually audit location message fields for suspicious content and remove any discovered XSS payloads.
How can I quickly determine if I've been compromised by this vulnerability?
Check your location message data in the plugin's database tables for script tags, event handlers, or suspicious code. Review admin logs for unexplained changes to location data. Use WordPress security plugins to scan for stored XSS. If you find malicious content, isolate the affected pages, notify users who may have been exposed, and restore from a clean backup if necessary.
Is there a workaround if I cannot patch immediately?
Restrict the wpgmp_manage_location capability to only essential administrators with strong, unique credentials. Disable the location messages feature if unused. Monitor the affected admin screens closely for unauthorized changes. However, these are temporary measures; patching should be completed as soon as possible.
This analysis is provided for informational purposes to help security teams understand and mitigate CVE-2026-9594. SEC.co does not guarantee the accuracy of third-party vendor patch information; always verify patch version numbers and update procedures against the official WordPress plugin repository and the plugin developer's published security advisories. Organizations must conduct their own risk assessment based on their specific deployment of the WP Maps plugin, custom role configurations, and business context. This advisory does not constitute legal or compliance advice. Consult your internal security policies, legal counsel, and compliance teams regarding notification requirements, data breach response, and remediation timelines for any confirmed exploitation. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUMStored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1