CVE-2026-4268

Name of the Vulnerable Software and Affected Versions WP Go Maps (formerly WP Google Maps) versions through 10.0.05

Description The WP Go Maps plugin for WordPress is susceptible to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. A missing capability check in the admin post wpgmza save settings hook anonymous function allows authenticated attackers with Subscriber-level access or higher to inject arbitrary web scripts into pages. These scripts will execute whenever a user accesses the injected page via the wpgmza custom js parameter.

Recommendations Versions prior to 10.0.06 should be updated.