CVE-2019-19134

Name of the Vulnerable Software and Affected Versions Hero Maps Premium plugin versions 2.2.1 and prior

Description The issue is related to insufficient sanitization of user-supplied input, leading to unauthenticated XSS. An attacker can inject HTML or arbitrary JavaScript within the browser of an unsuspecting user in the context of the affected site, potentially allowing the attacker to steal cookie-based tokens or launch other attacks.

Recommendations For Hero Maps Premium plugin versions 2.2.1 and prior, consider disabling access to the views/dashboard/index.php page or restricting the use of the p parameter until a patch is available. As a temporary workaround, avoid using the p parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.