[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fB-qDygqpk8SdHBgqZpoBvbYfOD8lx2YkSNoC86f9mT8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-9594","wp-maps-authenticated-admin-stored-cross-site-scripting-via-locationmessages-parameter","WP Maps \u003C= 4.9.4 - Authenticated (Admin+) Stored Cross-Site Scripting via 'location_messages' Parameter","The WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'location_messages' parameter in all versions up to, and including, 4.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the attacker to hold the custom wpgmp_manage_location capability, which is granted to administrators by default but can be assigned to lower-privileged roles via the plugin's Permissions screen.","wp-google-map-plugin",null,"\u003C=4.9.4","4.9.5","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-05 15:28:12","2026-06-06 03:28:25",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd082c6e6-a18a-44e2-9478-7189f9777198?source=api-prod",1,[22,23,24,25,26,27,28],"assets\u002Fcss\u002Fwpgmp_all_backend.css","assets\u002Fcss\u002Fwpgmp_all_backend.min.css","assets\u002Fcss\u002Fwpgmp_all_frontend.css","assets\u002Fcss\u002Fwpgmp_all_frontend.min.css","modules\u002Flocation\u002Fmodel.location.php","modules\u002Fshortcode\u002Fviews\u002Fput-wpgmp.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-9594 (WP Maps Stored XSS)\n\n## 1. Vulnerability Summary\nThe **WP Maps** plugin (up to 4.9.4) is vulnerable to **Stored Cross-Site Scripting (XSS)** via the `location_messages` parameter. The vulnerability exists in the `WPGMP_Model_Location` class within `modules\u002Flocation\u002Fmodel.location.php`. Specifically, the `write_to_db_backup()` method accepts the `location_messages` POST parameter and saves it to the database using only `wp_unslash()`, omitting any sanitization (e.g., `wp_kses` or `sanitize_text_field`). When these locations are retrieved for display (e.g., on a map), the unsanitized content is rendered, allowing execution of arbitrary JavaScript in the context of any user viewing the map.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** Admin form submission (typically `admin.php?page=wpgmp_form_location` or a related AJAX action).\n- **Vulnerable Parameter:** `location_messages`\n- **Authentication:** Required. An attacker must have the `wpgmp_manage_location` capability (granted to Administrators by default).\n- **Preconditions:** The plugin must be active, and at least one map must be created to display the malicious location.\n\n## 3. Code Flow\n1.  **Entry Point:** An authenticated user submits a request to add or edit a location. This triggers the saving logic, likely calling `WPGMP_Model_Location::write_to_db_backup()`.\n2.  **Storage (Sink):** In `modules\u002Flocation\u002Fmodel.location.php`, `write_to_db_backup()` takes `$_POST['location_messages']`:\n    ```php\n    if ( isset( $_POST['location_messages'] ) )\n        $data['location_messages'] = wp_unslash( $_POST['location_messages'] );\n    ```\n    The data is then stored in the `{$wpdb->prefix}map_locations` table via `FlipperCode_Database::insert_or_update`.\n3.  **Processing:** When a map is rendered via shortcode, `modules\u002Fshortcode\u002Fviews\u002Fput-wpgmp.php` calls `$location_obj->fetch()`. \n4.  **Transformation:** In `fetch()`, the plugin attempts to decode `location_messages`:\n    ```php\n    if ( ! is_null( $object->location_messages ) ) {\n        $decoded = base64_decode( $object->location_messages );\n        $parsed  = maybe_serialize( $decoded ); \u002F\u002F Note: possible typo in source, likely intended maybe_unserialize\n        if ( is_array( $parsed ) && isset( $parsed['googlemap_infowindow_message_one'] ) ) {\n            $object->location_messages = $parsed['googlemap_infowindow_message_one'];\n        }\n    }\n    ```\n    If `base64_decode` fails or the result isn't a serialized array, the original payload persists.\n5.  **Output (Sink):** The fetched locations are passed to the frontend JavaScript (Leaflet\u002FGoogle Maps), which renders the `location_messages` inside an InfoWindow without proper output escaping.\n\n## 4. Nonce Acquisition Strategy\nThe plugin uses nonces for admin operations. The `update_loc` function in `modules\u002Flocation\u002Fmodel.location.php` explicitly checks for `wpgmp-nonce`.\n\n**Steps to obtain the nonce:**\n1.  Identify the shortcode: Use `[put_wpgmp id='1']`.\n2.  Create a page with the shortcode using WP-CLI.\n3.  Navigate to the Admin Location page: `\u002Fwp-admin\u002Fadmin.php?page=wpgmp_form_location`.\n4.  Use `browser_eval` to extract the nonce from the localized script. The plugin typically localizes data under a global object.\n5.  **Target JS Variable:** `window.wpgmp_local?.nonce` or similar. Check the page source for `wp_localize_script` calls associated with `wpgmp-nonce`.\n\n## 5. Exploitation Strategy\nThe goal is to inject an XSS payload into the `location_messages` field.\n\n### Step 1: Data Setup\nCreate a Map and a Location to identify the correct `entityID` and `map_id`.\n```bash\n# Create a map\nwp eval \"new WPGMP_Model_Map();\" # Simplified: Usually done via UI\n```\n\n### Step 2: Payload Delivery\nUse `http_request` to send a POST request to the location save handler.\n\n**Request Details:**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=wpgmp_form_location` (or the AJAX handler if confirmed)\n- **Method:** POST\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body Parameters:**\n    - `_wpnonce`: [EXTRACTED_NONCE]\n    - `location_title`: `XSS Test`\n    - `location_address`: `123 Test St`\n    - `location_messages`: `\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n    - `location_settings[extensions_fields]`: `...`\n    - `page`: `wpgmp_form_location`\n    - `action`: `wpgmp_save_location` (Inferred from model class methods)\n\n*Note: If the `base64_decode` in `fetch()` interferes, the payload should be a base64-encoded serialized array:*\n`location_messages` = `YToxOntzOjMyOiJnb29nbGVtYXBfaW5mb3dpbmRvd19tZXNzYWdlX29uZSI7czoyNToiPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0PiI7fQ==`\n\n### Step 3: Triggering the XSS\nNavigate to the page containing the `[put_wpgmp]` shortcode. The payload will execute when the location's InfoWindow is triggered or the map loads.\n\n## 6. Test Data Setup\n1.  **Plugin:** Install and activate `wp-google-map-plugin` v4.9.4.\n2.  **User:** Create an admin user to perform the injection.\n3.  **Map:** Create a map with ID `1`.\n4.  **Shortcode Page:** \n    ```bash\n    wp post create --post_type=page --post_title=\"Map Page\" --post_status=publish --post_content=\"[put_wpgmp id='1']\"\n    ```\n\n## 7. Expected Results\n- The POST request should return a success message (e.g., \"Location added successfully\").\n- When viewing the \"Map Page\", the browser should execute the injected script (e.g., show an alert box).\n\n## 8. Verification Steps\nAfter the HTTP request, verify the database entry via WP-CLI:\n```bash\nwp db query \"SELECT location_messages FROM wp_map_locations ORDER BY location_id DESC LIMIT 1;\"\n```\nConfirm the output contains the raw `\u003Cscript>` tag or the crafted base64 string.\n\n## 9. Alternative Approaches\nIf the direct POST to the admin page fails, check for an AJAX entry point:\n- **Action:** `wp_ajax_wpgmp_save_location`\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Parameter:** `fc-location-new-set` (observed in `update_loc()` as a JSON string). This method might require injecting into the JSON object properties like `messages`.","The WP Maps plugin (up to 4.9.4) is vulnerable to Stored Cross-Site Scripting (XSS) via the 'location_messages' parameter. Authenticated attackers with the 'wpgmp_manage_location' capability (administrators by default) can inject arbitrary web scripts that execute in the context of any user viewing a map containing the malicious location.","\u002F\u002F modules\u002Flocation\u002Fmodel.location.php\npublic function write_to_db_backup(){\n\n    $entityID = '';\n    if ( isset( $_POST['entityID'] ) )\n    $entityID = intval( wp_unslash( $_POST['entityID'] ) );\n\n    if ( isset( $_POST['location_messages'] ) )\n    $data['location_messages'] = wp_unslash( $_POST['location_messages'] );","--- modules\u002Flocation\u002Fmodel.location.php\n+++ modules\u002Flocation\u002Fmodel.location.php\n@@ -187,2 +187,2 @@\n \t\t\tif ( isset( $_POST['location_messages'] ) )\n-\t\t\t$data['location_messages'] = wp_unslash( $_POST['location_messages'] );\n+\t\t\t$data['location_messages'] = wp_kses_post( wp_unslash( $_POST['location_messages'] ) );","1. Authenticate with Administrator privileges (or a role with the 'wpgmp_manage_location' capability).\n2. Navigate to the map location management screen and extract the 'wpgmp-nonce' from the page source or localized script variables.\n3. Send a POST request to '\u002Fwp-admin\u002Fadmin.php?page=wpgmp_form_location' with the 'location_messages' parameter containing a JavaScript payload (e.g., \u003Cscript>alert(1)\u003C\u002Fscript>).\n4. Ensure the request includes required fields: '_wpnonce', 'location_title', and 'location_address'.\n5. Navigate to a frontend page containing the '[put_wpgmp]' shortcode that displays the affected map. The script will execute when the map loads or when the location's InfoWindow is opened.","gemini-3-flash-preview","2026-06-26 03:01:11","2026-06-26 03:02:46",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","4.9.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-google-map-plugin\u002Ftags\u002F4.9.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-google-map-plugin.4.9.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-google-map-plugin\u002Ftags\u002F4.9.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-google-map-plugin.4.9.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-google-map-plugin\u002Ftags"]