{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13364", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-18T16:57:46.868Z", "datePublished": "2026-04-16T06:44:52.144Z", "dateUpdated": "2026-04-16T12:04:16.719Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-16T06:44:52.144Z"}, "affected": [{"vendor": "flippercode", "product": "WP Maps \u2013 Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.8.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Maps \u2013 Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'put_wpgm' shortcode in all versions up to, and including, 4.8.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "WP Maps \u2013 Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters <= 4.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'put_wpgm' Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/91d6cf21-cb65-40cb-ad19-5a8e7179fd98?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=wp-google-map-plugin/tags/4.8.7/wp-google-map-plugin.php&new_path=wp-google-map-plugin/tags/4.8.8/wp-google-map-plugin.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-11-09T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-02-27T04:48:33.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-15T17:46:52.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T11:11:41.822723Z", "id": "CVE-2025-13364", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:04:16.719Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13364", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-18T16:57:46.868Z", "datePublished": "2026-04-16T06:44:52.144Z", "dateUpdated": "2026-04-16T12:04:16.719Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-16T06:44:52.144Z"}, "affected": [{"vendor": "flippercode", "product": "WP Maps \u2013 Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.8.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Maps \u2013 Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'put_wpgm' shortcode in all versions up to, and including, 4.8.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "WP Maps \u2013 Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters <= 4.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'put_wpgm' Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/91d6cf21-cb65-40cb-ad19-5a8e7179fd98?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=wp-google-map-plugin/tags/4.8.7/wp-google-map-plugin.php&new_path=wp-google-map-plugin/tags/4.8.8/wp-google-map-plugin.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-11-09T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-02-27T04:48:33.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-15T17:46:52.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13364", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T11:11:41.822723Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T11:11:46.824Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Maps \u2013 Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'put_wpgm' shortcode in all versions up to, and including, 4.8.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-13364", "lastModified": "2026-04-16T07:16:28.550", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-16T07:16:28.550", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=wp-google-map-plugin/tags/4.8.7/wp-google-map-plugin.php&new_path=wp-google-map-plugin/tags/4.8.8/wp-google-map-plugin.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/91d6cf21-cb65-40cb-ad19-5a8e7179fd98?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.8.7]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 98.0, "source": "matching"}]}, "original": {"product": "WP Maps \u2013 Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters", "source": "cna", "vendor": "flippercode"}, "product": "google_map", "vendor": "flippercode"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.8.7]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "WP Maps \u2013 Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters", "source": "cna", "vendor": "flippercode"}, "product": "wp_maps_\u2013_store_locator,google_maps,openstreetmap,mapbox,listing,directory_&_filters", "vendor": "flippercode"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T08:50:55.756817+00:00", "value": {"mitigation_remediation": ["Apply the latest plugin version (4.8.8 or newer) to remove the vulnerable shortcode input handling. ", "Delete or cleanse any existing content that contains the 'put_wpgm' shortcode with malicious attributes. ", "If immediate upgrade is not possible, revoke or restrict contributor\u2011level access for untrusted users and disable the shortcode parsing for that role. ", "Implement additional output sanitization for shortcode attributes as a temporary measure by editing the plugin code or using a security plugin that escapes content."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting allows injected scripts to run in any browser that loads affected pages, potentially leaking credentials, tampering with content, or executing additional actions on behalf of the user"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the WP Maps \u2013 Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory & Filters plugin installed in any version up to and including 4.8.7 are impacted. Any user who can add or edit content with contributor\u2011level access on these sites can exploit the flaw, and all users who subsequently view the compromised page are at risk.", "description_and_impact": "A stored cross\u2011site scripting flaw in the WP Maps plugin enables an authenticated contributor or higher to inject arbitrary JavaScript into the shortcode attributes of the 'put_wpgm' tag. Once injected, the script executes automatically for every visitor who views the affected page, exposing the site to session hijacking, defacement, or malicious redirects. The vulnerability stems from a lack of input sanitization and output escaping.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity, but the flaw is exploitable by authenticated users and can affect all visitors to the site, making it a high\u2011impact issue for exposed audiences. The EPSS score is not available and the vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires the attacker to supply malicious data via the plugin\u2019s shortcode, and the attack surface is limited to users who load the affected content. However, because the injected script executes in the context of the website, the potential consequences span confidentiality, integrity, and availability."}}}}, "created": "2026-04-16T09:00:05.288779+00:00", "updated": "2026-04-16T09:30:05.882801+00:00", "vendors": ["flippercode", "flippercode$PRODUCT$google_map", "flippercode$PRODUCT$wp_maps_\u2013_store_locator,google_maps,openstreetmap,mapbox,listing,directory_&_filters", "wordpress", "wordpress$PRODUCT$wordpress"]}