cbcvebase.
CVE-2023-6697
published 2024-01-24

CVE-2023-6697: The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the map id parameter in all versions up to…

PriorityP333medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
1.04%
59.7th percentile
The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the map id parameter in all versions up to, and including, 9.0.28 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affected

1 ranges
VendorProductVersion rangeFixed in
wpgmapswp_go_maps<= 9.0.28

Detection & IOCsextracted from sources · hover to see the quote

othermap id parameter (Reflected XSS via unsanitized map id)
  • Look for unauthenticated GET/POST requests to WP Go Maps plugin endpoints containing unsanitized 'map id' parameter values with injected script payloads (e.g., <script> tags or JavaScript event handlers).
  • Nuclei/scanner detection fingerprint: match HTTP 200 response with Content-Type text/html, body containing both a script-injection payload and the string 'Map Alignment'.
  • The attack vector is unauthenticated and requires social engineering (e.g., a crafted link) to execute the reflected XSS payload in a victim's browser.
  • ·All plugin versions up to and including 9.0.28 are affected; ensure detection rules target this version range.
  • ·The plugin was formerly known as 'WP Google Maps'; both product names may appear in HTTP headers, page content, or plugin paths during detection.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.