CVE-2026-7464: WP Google Maps Integration XSS Vulnerability

CVE-2026-7464 Overview

CVE-2026-7464 is a Reflected Cross-Site Scripting (XSS) vulnerability in the WP Google Maps Integration plugin for WordPress. The flaw affects all plugin versions up to and including 1.2. Attackers can exploit the page parameter due to insufficient input sanitization and output escaping. Unauthenticated attackers can inject arbitrary web scripts that execute when an administrator is tricked into clicking a malicious link. The issue is classified under CWE-79.

Critical Impact

Successful exploitation allows attackers to execute arbitrary JavaScript in an administrator's browser session, enabling session hijacking, account takeover, or unauthorized administrative actions on the WordPress site.

Affected Products

• WordPress WP Google Maps Integration plugin versions up to and including 1.2
• All admin partial views referencing the page parameter (category, map, marker, and route table displays)
• WordPress sites with the vulnerable plugin installed and active

Discovery Timeline

• 2026-05-12 - CVE-2026-7464 published to NVD
• 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-7464

Vulnerability Analysis

The vulnerability stems from improper handling of the page URL parameter across multiple admin partial templates. The plugin reflects the page value back into rendered HTML without applying sufficient sanitization or output escaping. As a result, attacker-controlled script content embedded in a crafted URL is rendered and executed in the context of the WordPress administration interface.

The vulnerability is reachable via the network and requires no privileges. It requires user interaction, since an administrator must click the attacker-crafted link. Because the injected script executes in the admin's authenticated session, the scope changes to impact resources beyond the vulnerable component.

Root Cause

The root cause is missing input sanitization and output escaping for the page request parameter. The affected templates include admin/partials/category/category-table-display.php, admin/partials/map/map-table-display.php, admin/partials/marker/marker-table-display.php, and admin/partials/route/route-table-display.php. Each template echoes the page parameter into HTML attributes or markup without functions such as esc_attr() or esc_html().

Attack Vector

An unauthenticated attacker crafts a URL targeting an admin page on the vulnerable WordPress site. The URL embeds malicious JavaScript inside the page query parameter. The attacker delivers the link to a site administrator through phishing, social engineering, or a malicious referrer. When the administrator clicks the link while authenticated, the payload executes in their browser. The script can steal session cookies, perform CSRF-style state changes, create rogue admin accounts, or inject backdoors into the site. See the Wordfence Vulnerability Report for additional technical context.

Detection Methods for CVE-2026-7464

Indicators of Compromise

• Web server access logs containing requests to admin pages with page parameter values that include <script>, javascript:, onerror=, or URL-encoded equivalents such as %3Cscript%3E
• Unexpected creation of new administrator accounts or modifications to existing user roles following admin login activity
• Outbound requests from administrator browsers to unfamiliar domains shortly after accessing the WordPress admin interface
• Modifications to plugin or theme files that do not correspond to legitimate update activity

Detection Strategies

• Inspect HTTP request logs for the WordPress admin path with suspicious query strings targeting the page parameter
• Deploy a Web Application Firewall (WAF) rule that flags reflected XSS payloads against /wp-admin/ endpoints
• Correlate administrator login events with subsequent privileged actions to identify activity that occurs without direct user input
• Review plugin file integrity against the official WordPress.org distribution to identify unauthorized changes

Monitoring Recommendations

• Enable verbose logging on the WordPress admin interface and forward logs to a centralized analysis platform
• Monitor for anomalous wp_users and wp_usermeta table writes that indicate privilege escalation
• Alert on outbound HTTP requests from the web server to uncommon destinations originating from PHP processes

How to Mitigate CVE-2026-7464

Immediate Actions Required

• Identify all WordPress installations running the WP Google Maps Integration plugin and inventory plugin versions
• Deactivate the plugin on any site running version 1.2 or earlier until a patched release is available
• Rotate administrator credentials and invalidate active sessions if exploitation is suspected
• Apply a WAF rule blocking requests containing script tags or JavaScript event handlers in the page parameter

Patch Information

At the time of publication, no fixed version is identified in the NVD record. Site operators should monitor the WordPress plugin repository and the Wordfence Vulnerability Report for a patched release. When a fix is published, update immediately and verify that templates echoing the page parameter call esc_attr() or esc_html() before output.

Workarounds

• Restrict access to /wp-admin/ by source IP address using web server access controls or a reverse proxy allowlist
• Enforce multi-factor authentication for all WordPress administrator accounts to reduce the impact of session theft
• Train administrators to avoid clicking links to the admin interface received via email or external sources
• Deploy a Content Security Policy (CSP) header on the WordPress admin interface to restrict inline script execution

# Example Nginx configuration to block reflected XSS payloads targeting the page parameter
location /wp-admin/ {
    if ($arg_page ~* "(<|%3C)script|javascript:|on(error|load|click)=") {
        return 403;
    }
    add_header Content-Security-Policy "default-src 'self'; script-src 'self'";
}