CVE-2023-6697 MEDIUM

CVE-2023-6697: WP Go Maps (formerly WP Google Maps) <= 9.0.28 - Reflected Cross-Site Scripting

Vendor Wpgmaps

Product WP Go Maps (formerly WP Google Maps)

Weakness CWE-79 · XSS

Published January 24, 2024

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

6.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the map id parameter in all versions up to, and including, 9.0.28 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Key dates

02Disclosure timeline

January 24, 2024 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-6697

Related vulnerabilities

04Related CVE

CVE-2024-53999 Mobile Security Framework (MobSF) Stored Cross-Site Scripting Vulnerability in "Diff or Compare" Functionality CVE-2025-7498 Exclusive Addons for Elementor <= 2.7.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown CVE-2024-52350 WordPress CRM 2go plugin <= 1.0 - Cross Site Scripting (XSS) vulnerability CVE-2026-1571 Reflected XSS Vulnerability on TP-Link Archer C60 CVE-2025-7902 yangzongzhuan RuoYi SysNoticeController.java addSave cross site scripting