CVE-2026-6236

Name of the Vulnerable Software and Affected Versions Posts map plugin for WordPress versions prior to 0.1.4

Description Insufficient input sanitization and output escaping on user supplied attributes allow authenticated attackers with contributor-level access and above to inject arbitrary web scripts. This occurs via the 'name' shortcode attribute, resulting in scripts that execute whenever a user accesses an injected page. Stored Cross-Site Scripting is a flaw where a malicious script is permanently stored on the target server.

Recommendations Update the plugin to a version later than 0.1.3.