CVE-2026-9594 Overview
CVE-2026-9594 is a Stored Cross-Site Scripting (XSS) vulnerability in the WP Maps plugin for WordPress, which provides Google Maps, OpenStreetMap, Mapbox, Store Locator, Listing, Directory, and Filters functionality. The flaw affects all versions of the plugin up to and including 4.9.4. The vulnerability resides in the location_messages parameter, which lacks sufficient input sanitization and output escaping. Authenticated attackers holding the custom wpgmp_manage_location capability can inject arbitrary web scripts that execute when users access the affected pages. This capability is granted to administrators by default but can be assigned to lower-privileged roles through the plugin's Permissions screen.
Critical Impact
Authenticated attackers with the wpgmp_manage_location capability can inject persistent JavaScript that executes in any user's browser when viewing affected map pages, enabling session theft, account takeover, and content manipulation.
Affected Products
- WP Maps – Google Maps, OpenStreetMap, Mapbox, Store Locator, Listing, Directory & Filters plugin for WordPress
- All versions up to and including 4.9.4
- WordPress sites that have assigned the wpgmp_manage_location capability to non-administrator roles
Discovery Timeline
- 2026-06-06 - CVE-2026-9594 published to the National Vulnerability Database
- 2026-06-08 - Last updated in the NVD database
Technical Details for CVE-2026-9594
Vulnerability Analysis
The vulnerability is classified as Stored Cross-Site Scripting under [CWE-79]. The WP Maps plugin accepts user-supplied content through the location_messages parameter without applying adequate sanitization on input or escaping on output. Attacker-controlled payloads are persisted to the WordPress database and rendered into pages that display location information. When any visitor or authenticated user loads a page containing the injected location, the malicious script executes in the browser context of the WordPress site. The script then runs with the privileges of the viewing user, including any active session cookies.
Root Cause
The root cause is the absence of proper sanitization functions on input handling in modules/location/model.location.php and the lack of output escaping in modules/shortcode/views/put-wpgmp.php. The plugin stores the location_messages value verbatim and later emits it into HTML output without applying WordPress escaping helpers such as esc_html(), esc_attr(), or wp_kses(). Refer to the WordPress Plugin Code Snippet and the shortcode view source for the affected code paths.
Attack Vector
Exploitation requires authentication and the wpgmp_manage_location capability. An attacker who controls or compromises an account with this capability submits a malicious JavaScript payload through the location_messages field during location creation or editing. The payload is stored in the database. When an administrator, editor, or site visitor loads the page rendering that location, the script executes in the victim's browser. The attack vector is network-based but requires high privileges, which limits the eligible attacker pool. See the Wordfence Vulnerability Report for additional context.
No verified proof-of-concept code is published for this vulnerability. The exploitation pattern follows standard stored XSS injection through an authenticated form field, with the payload triggering on subsequent page renders.
Detection Methods for CVE-2026-9594
Indicators of Compromise
- Database entries in WP Maps location records containing HTML tags such as <script>, <svg>, <img onerror=>, or javascript: URIs in the location_messages field
- Unexpected outbound HTTP requests from administrator browsers shortly after visiting map pages, indicating possible session exfiltration
- New or modified WordPress administrator accounts created shortly after an editor or contributor with wpgmp_manage_location accessed location settings
Detection Strategies
- Query the WordPress database for WP Maps location records and inspect the location_messages column for HTML or JavaScript content
- Review the WordPress audit log for edits to map locations by non-administrator accounts that hold the wpgmp_manage_location capability
- Deploy a web application firewall rule to flag POST requests to plugin endpoints containing script tags or event handler attributes in the location_messages parameter
Monitoring Recommendations
- Monitor role and capability changes in WordPress, specifically assignments of the wpgmp_manage_location capability to non-administrator roles
- Alert on Content Security Policy violation reports originating from pages that render WP Maps shortcodes
- Track plugin version inventory across managed WordPress sites and flag installations running 4.9.4 or earlier
How to Mitigate CVE-2026-9594
Immediate Actions Required
- Update the WP Maps plugin to a version newer than 4.9.4 once the vendor releases a patched build that addresses the referenced changeset
- Audit which user roles hold the wpgmp_manage_location capability and revoke it from any non-administrator roles
- Inspect existing location records for previously injected payloads and sanitize or remove suspicious entries
Patch Information
The vendor committed a fix in WordPress plugin changeset 3550683 for the wp-google-map-plugin repository. Site administrators should upgrade to the next release published after version 4.9.4 through the WordPress plugin updater. Verify the installed version after upgrade and confirm that location_messages output is properly escaped by viewing a test location page source.
Workarounds
- Restrict the wpgmp_manage_location capability to trusted administrator accounts only through the plugin's Permissions screen
- Enforce a strict Content Security Policy that disallows inline scripts on pages rendering WP Maps shortcodes
- Temporarily disable the WP Maps plugin if no trusted users require access to location management until a patched release is installed
# Example WP-CLI commands to inventory and mitigate exposure
wp plugin get wp-google-map-plugin --field=version
wp user list --role=editor --fields=ID,user_login,roles
wp plugin deactivate wp-google-map-plugin
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
