Sunghoon Kim

**Name of the Vulnerable Software and Affected Versions** WP Go Maps (formerly WP Google Maps) versions prior to 9.0.48 **Description** The WP Go Maps WordPress plugin does not properly sanitize user-supplied data submitted through an AJAX request. This allows unauthenticated users to inject and store cross-site scripting (XSS) payloads. These payloads are subsequently retrieved via another AJAX call and displayed without proper escaping, potentially leading to the execution of malicious scripts. The plugin is vulnerable because it fails to validate input before processing it, creating an opportunity for attackers to compromise the system. **Recommendations** Update WP Go Maps (formerly WP Google Maps) to version 9.0.48 or later.