CVE-2023-6697
published 2024-01-24CVE-2023-6697: The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the map id parameter in all versions up to…
PriorityP333medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
1.04%
59.7th percentile
The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the map id parameter in all versions up to, and including, 9.0.28 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpgmaps | wp_go_maps | <= 9.0.28 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for unauthenticated GET/POST requests to WP Go Maps plugin endpoints containing unsanitized 'map id' parameter values with injected script payloads (e.g., <script> tags or JavaScript event handlers). ↗
- →Nuclei/scanner detection fingerprint: match HTTP 200 response with Content-Type text/html, body containing both a script-injection payload and the string 'Map Alignment'.
- →The attack vector is unauthenticated and requires social engineering (e.g., a crafted link) to execute the reflected XSS payload in a victim's browser. ↗
- ·All plugin versions up to and including 9.0.28 are affected; ensure detection rules target this version range. ↗
- ·The plugin was formerly known as 'WP Google Maps'; both product names may appear in HTTP headers, page content, or plugin paths during detection. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
WP Go Maps Plugin up to 9.0.28 on WordPress cross site scripting (ID 3022232)
vuldb·2026-04-11·CVSS 6.1
CVE-2023-6697 [MEDIUM] WP Go Maps Plugin up to 9.0.28 on WordPress cross site scripting (ID 3022232)
A vulnerability classified as problematic was found in WP Go Maps Plugin up to 9.0.28 on WordPress. This affects an unknown function. Such manipulation leads to cross site scripting.
This vulnerability is referenced as CVE-2023-6697. It is possible to launch the attack remotely. No exploit is available.
GHSA
GHSA-c5vx-x65g-94m5: The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the map id parameter in all versions
ghsa_unreviewed·2024-01-24
CVE-2023-6697 [MEDIUM] CWE-79 GHSA-c5vx-x65g-94m5: The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the map id parameter in all versions
The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the map id parameter in all versions up to, and including, 9.0.28 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
No detection rules found.
Nuclei
WP Go Maps (formerly WP Google Maps) < 9.0.29 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2023-6697 [MEDIUM] WP Go Maps (formerly WP Google Maps) < 9.0.29 - Cross-Site Scripting
WP Go Maps (formerly WP Google Maps) HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- ''
- 'Map Alignment'
condition: and
- type: word
part: content_type
words:
- text/html
- type: status
status:
- 200
# digest: 4a0a00473045022100e9b991aaf29d65c1953d4bb048bfdde7b1f260ba846b618d5fa0cd04a285ebed02201c26700030fb1015a7e4a3bbbd6d0b660bda82de4650ffc1b40eef98110564fc:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/changeset/3022232/wp-google-maps/trunk/html/atlas-novus/map-edit-page/map-edit-page.html.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/b3c3115b-8921-429d-b517-b946edab1cd5?source=cvehttps://plugins.trac.wordpress.org/changeset/3022232/wp-google-maps/trunk/html/atlas-novus/map-edit-page/map-edit-page.html.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/b3c3115b-8921-429d-b517-b946edab1cd5?source=cve
2024-01-24
Published