CVE-2025-32138 MEDIUM

CVE-2025-32138: WordPress Easy Google Maps plugin <= 1.11.18 - XML External Entity vulnerability

Vendor Supsystic
Product Easy Google Maps
Weakness CWE-611 · XXE
Published April 4, 2025
Last update April 28, 2026

CVSS base score

6.6/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Improper Restriction of XML External Entity Reference vulnerability in supsystic Easy Google Maps google-maps-easy allows XML Injection.This issue affects Easy Google Maps: from n/a through <= 1.11.18.

Explanation of Vulnerability in Simple Terms

02Summary

Easy Google Maps versions up to 1.11.18 contain an XML External Entity (XXE) vulnerability. An authenticated administrator can craft a malicious XML payload to read local files, modify data, or disrupt service. The vulnerability requires high-level privileges and affects the confidentiality, integrity, and availability of the site.

What an attacker can do

03Attacker Capabilities

Read local files, modify site data, or cause denial of service via malicious XML input.

Potential impact on your site

04Site Impact

An admin account compromise could expose sensitive files or disrupt the maps functionality.

Conditions required to exploit

05Prerequisites

Attacker must have administrator-level access to the site.

Key dates

06Disclosure timeline

April 4, 2025 CVE published
April 28, 2026 Record updated