Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

WP Maps

Source -

CNA

CNA CVEs -

6

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
6Vulnerabilities found
CVE-2026-39492
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-9.3||CRITICAL
EPSS-0.36% / 28.11%
||
7 Day CHG~0.00%
Published-15 Jun, 2026 | 20:17
Updated-16 Jun, 2026 | 17:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Maps plugin <= 4.9.1 - SQL Injection vulnerability

Unauthenticated SQL Injection in WP Maps <= 4.9.1 versions.

Action-Not Available
Vendor-Flipper Code – WordPress Development Company
Product-WP Maps
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-6381
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-7.5||HIGH
EPSS-0.38% / 29.98%
||
7 Day CHG-0.01%
Published-18 May, 2026 | 06:00
Updated-18 May, 2026 | 17:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Maps < 4.9.3 - Subscriber+ Local File Inclusion

The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perform Local File Inclusion attacks.

Action-Not Available
Vendor-Unknown
Product-WP Maps
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-67535
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-6.6||MEDIUM
EPSS-0.30% / 21.86%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 14:14
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Maps plugin <= 4.8.6 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Flipper Code - WordPress Development Company WP Maps wp-google-map-plugin allows Object Injection.This issue affects WP Maps: from n/a through <= 4.8.6.

Action-Not Available
Vendor-Flipper Code - WordPress Development Company
Product-WP Maps
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-3504
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.22% / 12.12%
||
7 Day CHG~0.00%
Published-01 May, 2025 | 06:00
Updated-07 May, 2025 | 16:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Maps < 4.7.2 - Admin+ Stored XSS

The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-wepluginsUnknown
Product-wp_mapsWP Maps
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3503
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.5||MEDIUM
EPSS-0.24% / 14.40%
||
7 Day CHG~0.00%
Published-01 May, 2025 | 06:00
Updated-07 May, 2025 | 16:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Maps < 4.7.2 - Admin+ Stored XSS

The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-wepluginsUnknown
Product-wp_mapsWP Maps
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-3502
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-3.5||LOW
EPSS-0.27% / 18.97%
||
7 Day CHG~0.00%
Published-01 May, 2025 | 06:00
Updated-07 May, 2025 | 16:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Maps < 4.7.2 - Admin+ Stored XSS

The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Action-Not Available
Vendor-wepluginsUnknown
Product-wp_mapsWP Maps
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')