VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 21 known issues Latest disclosed Mar 22, 2026

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters Vulnerabilities

Review known vulnerability records for the WordPress plugin WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters (`wp-google-map-plugin`), including severity, CVE references, affected versions, and patch status.

View on WordPress.org Back to Feed
Known Records
21
High or Critical
10
Linked CVEs
18
Last Updated
Mar 22, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters so operators can quickly confirm whether a disclosed issue maps to the installed slug and version range.

Patch Visibility
21 records include a published patch path.
Severity Mix
0 critical and 10 high severity findings.
Reference Workflow
Jump from the hub into the full report when you need remediation notes, CVSS vector details, or source references.
Known Vulnerabilities

Reports for WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: Yes CVE-2026-2580
WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters <= 4.9.1 - Unauthenticated SQL Injection via 'orderby' Parameter

The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 4.9.1 due to insufficient escaping on the user supplied parame...

Published
Mar 22, 2026
Patched Release
4.9.2
Affected Versions
Versions up to 4.9.1
Next Step
Update to 4.9.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2026-3222
WP Maps <= 4.9.1 - Unauthenticated SQL Injection via 'location_id' Parameter

The WP Maps plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'location_id' parameter in all versions up to, and including, 4.9.1. This is due to the plugin's database abstraction layer (`FlipperCode_Model_Base::is_column()`) treating user input wrapped...

Published
Mar 10, 2026
Patched Release
4.9.2
Affected Versions
Versions up to 4.9.1
Next Step
Update to 4.9.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-12062
WP Maps <= 4.8.6 - Authenticated (Subscriber+) Limited Local File Inclusion

The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8.6 via the fc_load_template function. This makes it possible for authenticated attackers, w...

Published
Feb 16, 2026
Patched Release
4.8.7
Affected Versions
Versions up to 4.8.6
Next Step
Update to 4.8.7 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-67535
Maps <= 4.8.6 - Authenticated (Administrator+) PHP Object Injection

The Maps plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.8.6 via deserialization of untrusted input. This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. No known POP...

Published
Nov 02, 2025
Patched Release
4.8.7
Affected Versions
Versions up to 4.8.6
Next Step
Update to 4.8.7 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-3502
WP Maps – Display Google Maps Perfectly with Ease <= 4.7.1 - Authenticated (Admin+) Stored Cross-Site Scripting

The WP Maps – Display Google Maps Perfectly with Ease plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authentica...

Published
Apr 10, 2025
Patched Release
4.7.2
Affected Versions
Versions up to 4.7.1
Next Step
Update to 4.7.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-3503
WP Maps – Display Google Maps Perfectly with Ease <= 4.7.1 - Authenticated (Admin+) Stored Cross-Site Scripting

The WP Maps – Display Google Maps Perfectly with Ease plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authentica...

Published
Apr 10, 2025
Patched Release
4.7.2
Affected Versions
Versions up to 4.7.1
Next Step
Update to 4.7.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-3504
WP Maps – Display Google Maps Perfectly with Ease <= 4.7.1 - Authenticated (Admin+) Stored Cross-Site Scripting

The WP Maps – Display Google Maps Perfectly with Ease plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authentica...

Published
Apr 10, 2025
Patched Release
4.7.2
Affected Versions
Versions up to 4.7.1
Next Step
Update to 4.7.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2024-2386
WordPress Plugin for Google Maps – WP MAPS <= 4.6.1 - Authenticated (Contributor+) SQL Injection

The WordPress Plugin for Google Maps – WP MAPS plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'put_wpgm' shortcode in all versions up to, and including, 4.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient pre...

Published
Jun 28, 2024
Patched Release
4.6.2
Affected Versions
Versions up to 4.6.1
Next Step
Update to 4.6.2 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-28172
WP Google Map Plugin <= 4.4.2 - Cross-Site Request Forgery via delete()

The WP Google Map Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.4.2. This is due to missing or incorrect nonce validation on the delete() function of the WPGMP_Model_Group_Map, WPGMP_Model_Location, and WPGMP_Model_Map...

Published
Mar 13, 2023
Patched Release
4.4.3
Affected Versions
Versions up to 4.4.2
Next Step
Update to 4.4.3 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-23878
WP MAPS <= 4.3.9 - Authenticated (Editor+) Stored Cross-Site Scripting

The WP MAPS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in versions up to, and including, 4.3.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attac...

Published
Jan 20, 2023
Patched Release
4.4.0
Affected Versions
Versions up to 4.3.9
Next Step
Update to 4.4.0 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-25600
WP MAPS – Easiest & Most Advanced WordPress Plugin for Google Maps <= 4.2.3 - Cross-Site Request Forgery

Cross-Site Request Forgery (CSRF) vulnerability affecting Delete Marker Category, Delete Map, and Copy Map functions in WP Google Map plugin (versions

Published
Feb 22, 2022
Patched Release
4.2.4
Affected Versions
Versions before 4.2.4
Next Step
Update to 4.2.4 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2021-24130
WP Google Map Plugin <= 4.1.4 - Authenticated SQL Injection via Orderby

Unvalidated input in the WP Google Map Plugin WordPress plugin, versions before 4.1.5, in the Manage Locations page within the plugin settings was vulnerable to SQL Injection through a high privileged user (admin+).

Published
Nov 25, 2020
Patched Release
4.1.5
Affected Versions
Versions up to 4.1.4
Next Step
Update to 4.1.5 or newer if supported.
Open Full Report Open CVE Reference