CVE-2024-5994

Name of the Vulnerable Software and Affected Versions: WP Go Maps plugin for WordPress versions up to, and including, 9.0.38

Description: The issue allows authenticated attackers with contributor-level permissions and above to inject arbitrary web scripts in pages via the Custom JS option. This makes it possible for attackers to execute scripts whenever a user accesses an injected page. The problem is related to the possibility for abuse if permissions are granted to lower-level users.

Recommendations: For versions up to, and including, 9.0.38, update to version 9.0.39 or later to resolve the issue. As a temporary workaround, consider restricting permissions to prevent lower-level users from accessing the Custom JS option.