Skip to main content

CodePeople Post Map EUVDEUVD-2026-39929

| CVE-2026-13335 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-27 Wordfence GHSA-xwv4-jx2p-x8xw
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.4 MEDIUM

Network-accessible stored XSS requires Contributor auth (PR:L); payload auto-executes on page visit scoping impact to victim browser (S:C); no server-side confidentiality or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 27, 2026 - 02:15 vuln.today
CVE Published
Jun 27, 2026 - 01:27 cve.org
MEDIUM 6.4

DescriptionCVE.org

The CodePeople Post Map for Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'cpm_point' Post Meta in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in the CodePeople Post Map for Google Maps WordPress plugin (versions through 1.2.6) permits authenticated Contributor-level users to persist malicious JavaScript payloads via the 'cpm_point' post meta field. The CVSS S:C (Scope Changed) flag confirms the injected scripts execute in victim browser sessions beyond the plugin's own context, enabling session hijacking, credential theft, or unauthorized admin actions against any user who visits an injected page. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Contributor-level WordPress account
Delivery
Inject script payload into cpm_point post meta
Exploit
Payload persisted to WordPress database
Execution
Privileged user visits injected post page
Persist
Stored XSS executes in victim browser
Impact
Exfiltrate session token or perform admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress user account at Contributor level or higher - unauthenticated attackers cannot exploit this vulnerability. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.4 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N accurately reflects the key risk dynamics. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a Contributor-level WordPress account on a target site running CodePeople Post Map for Google Maps 1.2.6 or earlier. The attacker creates a post embedding a Google Map and sets the 'cpm_point' meta field to a value containing a malicious JavaScript payload (e.g., a script that exfiltrates the visitor's session cookie to an attacker-controlled endpoint). …
Remediation An upstream fix has been committed to the WordPress plugin SVN repository at changeset revision 3586404 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3586404%40codepeople-post-map&new=3586404%40codepeople-post-map); however, a patched tagged release version beyond 1.2.6 is not independently confirmed from the available data - administrators should monitor the WordPress plugin directory for an updated release and apply it immediately upon publication. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39929 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy