cbcvebase.
CVE-2024-29931
published 2024-03-27

CVE-2024-29931: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPGMaps WP Go Maps wp-google-maps.This issue affects WP…

PriorityP279medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.75%
50.4th percentile
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPGMaps WP Go Maps wp-google-maps.This issue affects WP Go Maps: from n/a through <= 9.0.29.

Affected

2 ranges
VendorProductVersion rangeFixed in
codecabinwp_go_maps< 9.0.309.0.30
wpgmapswp_go_maps<= 9.0.29

Detection & IOCsextracted from sources · hover to see the quote

yara
rule CVE_2024_29931_WPGoMaps_XSS { strings: $xss = "alert(document.domain)<a" $plugin = "wp-google-maps" condition: and }
  • Look for XSS payloads containing 'alert(document.domain)<a' in requests targeting the WP Go Maps plugin ('wp-google-maps') on WordPress installations running version <= 9.0.29.
  • The vulnerability is an Improper Neutralization of Input During Web Page Generation (XSS) affecting WP Go Maps from n/a through version 9.0.29; monitor web requests to wp-google-maps plugin endpoints for unsanitized script injection.
  • ·The YARA/detection rule digest is provided as a rule integrity check; verify the rule matches the digest before deploying: 4a0a004730450221009ddd63089b8dccac714327e884bc3f801bfc777a18849c660d7386063748c37a02206114abcde652db61ef557ce78ddbb43e61a75bb2eb38faa41654f7ef3356281f:922c64590222798bb761d5b6d8e72950

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.