Skip to main content

Google Maps CP EUVDEUVD-2026-41281

| CVE-2026-57670 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-6x98-crj7-pq94
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated network XSS (AV:N/PR:N) requiring victim click (UI:R); reflected script crosses into the WordPress session (S:C) with limited C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:18 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Google Maps CP <= 1.2.5 versions.

AnalysisAI

Stored/reflected Cross-Site Scripting in the Google Maps CP WordPress plugin (versions 1.2.5 and earlier, vendor CodePeople) lets an unauthenticated attacker inject malicious script that executes in a victim's browser after they interact with a crafted link or page. The flaw carries a CVSS 3.1 base score of 7.1 with a scope change, reflecting impact beyond the vulnerable component into the wider WordPress session. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious XSS payload in plugin parameter
Delivery
Deliver crafted link to victim
Exploit
Victim with active session opens link
Execution
Unsanitized script executes in site origin
Impact
Steal session cookies or act as admin

Vulnerability AssessmentAI

Exploitation Exploitation requires the Google Maps CP plugin (version 1.2.5 or earlier) to be installed and active on a WordPress site, and requires victim user interaction (UI:R) - the target must click a crafted link or load an attacker-controlled page that triggers the vulnerable output path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L indicates network-reachable, low-complexity, unauthenticated exploitation, but critically requires user interaction (UI:R) - a victim must click a crafted link or visit an attacker-influenced page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL or page containing a malicious JavaScript payload targeting the vulnerable Google Maps CP parameter and lures a logged-in WordPress administrator to click it. When the victim's browser renders the unsanitized output, the script executes in the site's origin, allowing the attacker to steal session cookies, perform actions as the admin, or plant a persistent backdoor. …
Remediation No vendor-released patch version is identified in the available data; a fixed release, if one exists, would be a version later than 1.2.5, but this is not independently confirmed. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Disable or remove Google Maps CP plugin immediately if not essential; if retention is required, implement WAF rules blocking script payloads to plugin endpoints and restrict plugin access by IP. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41281 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy