Security Alert Summary
The WP Go Maps (formerly WP Google Maps) WordPress plugin has a stored cross-site scripting (XSS) vulnerability via the wpgmza_custom_js parameter. The issue is caused by insufficient input sanitization and output escaping combined with a missing capability check in an anonymous function hooked to admin_post_wpgmza_save_settings. Authenticated users with Subscriber-level access or higher can inject scripts that will execute when other users view an injected page.
CVE Details
- CVE ID:
CVE-2026-4268 - Affected plugin / component: WP Go Maps (formerly WP Google Maps) plugin
- Affected versions: All versions up to, and including, 10.0.05
- Published: March 18, 2026 at 2:16:25 AM
- Last modified: March 18, 2026 at 2:52:44 PM
- CVSS v3.1: Base Score 6.4 — MEDIUM
- Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N - Attack Vector: NETWORK
- Attack Complexity: LOW
- Privileges Required: LOW (authenticated user)
- User Interaction: NONE
- Scope: CHANGED
- Vector:
- Authentication / privileges / user interaction: Requires an authenticated user with low privileges (Subscriber-level access or higher); no user interaction required for the injected payload to execute when a victim visits an affected page.
- Primary impact:
- Confidentiality: LOW
- Integrity: LOW
- Availability: NONE
- Weakness (CWE): CWE-79 (Cross-site Scripting)
Technical Details
The vulnerability is a stored cross-site scripting (XSS) issue that arises from insufficient input sanitization and output escaping of the wpgmza_custom_js parameter. The CVE notes a missing capability check in an anonymous function attached to the admin_post_wpgmza_save_settings hook. Because the plugin fails to properly validate or escape the provided JavaScript and does not enforce the appropriate capability checks when saving settings via that hook, an authenticated user with Subscriber-level permissions or higher can save arbitrary script content.
When malicious script is stored via wpgmza_custom_js, that script will be included in pages rendered by the site and will execute in the context of any user who visits the injected page. The impact is limited to what XSS typically enables under the stated CVSS impacts (confidentiality and integrity effects at a low level); the entry does not state further escalation or remote code execution beyond stored XSS.
How This Could Impact Your Website
Consider a site with a site owner, several internal staff members (editors or authors), and an external contractor or contributor who has a Subscriber or higher account. A malicious contributor could save JavaScript into the plugin settings using the wpgmza_custom_js parameter. When other users—such as staff members or administrators—view a page that includes the plugin’s output, the injected script could run in their browsers.
Practical consequences include exposure of session tokens or user-specific data accessible to the browser, theft of user-visible information (for example email addresses displayed on pages), and an increased risk of targeted phishing or social engineering based on information collected via the injected script. Actions that require higher privileges on the server are not described in the CVE; impacts are aligned with the CVSS ratings of low confidentiality and integrity impact and no availability impact.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (CVE entry does not specify a fixed version.)
- Review and reduce unnecessary user roles and privileges, especially for contributors and other low-privilege accounts.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins.
- Monitor site activity and logs for unusual behavior, including unexpected changes to plugin settings or suspicious scripts appearing in pages.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
