Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Unauthenticated network XSS (AV:N/PR:N) requiring victim click (UI:R); reflected script crosses into the WordPress session (S:C) with limited C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Google Maps CP <= 1.2.5 versions.
AnalysisAI
Stored/reflected Cross-Site Scripting in the Google Maps CP WordPress plugin (versions 1.2.5 and earlier, vendor CodePeople) lets an unauthenticated attacker inject malicious script that executes in a victim's browser after they interact with a crafted link or page. The flaw carries a CVSS 3.1 base score of 7.1 with a scope change, reflecting impact beyond the vulnerable component into the wider WordPress session. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the Google Maps CP plugin (version 1.2.5 or earlier) to be installed and active on a WordPress site, and requires victim user interaction (UI:R) - the target must click a crafted link or load an attacker-controlled page that triggers the vulnerable output path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L indicates network-reachable, low-complexity, unauthenticated exploitation, but critically requires user interaction (UI:R) - a victim must click a crafted link or visit an attacker-influenced page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL or page containing a malicious JavaScript payload targeting the vulnerable Google Maps CP parameter and lures a logged-in WordPress administrator to click it. When the victim's browser renders the unsanitized output, the script executes in the site's origin, allowing the attacker to steal session cookies, perform actions as the admin, or plant a persistent backdoor. … |
| Remediation | No vendor-released patch version is identified in the available data; a fixed release, if one exists, would be a version later than 1.2.5, but this is not independently confirmed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Disable or remove Google Maps CP plugin immediately if not essential; if retention is required, implement WAF rules blocking script payloads to plugin endpoints and restrict plugin access by IP. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Google Maps Cp
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41281
GHSA-6x98-crj7-pq94