| CVE-2025-13364 | WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters <= 4.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'put_wpgm' Shortcode | flippercode | WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters | Medium | 6.4 | 2026-04-16 06:44:52 | Deep Dive |
| CVE-2026-3581 | Basic Google Maps Placemarks <= 1.10.7 - Missing Authorization to Unauthenticated Default Map Coordinate Update | iandunn | Basic Google Maps Placemarks | Medium | 5.3 | 2026-04-16 05:29:55 | Deep Dive |
| CVE-2026-23900 | Extension - phoca.cz - Stored XSS vectors in Phoca Maps component 5.0.0 - 6.0.2 for Joomla | phoca.cz | phoca.cz - Phoca Maps for Joomla | 中危 | - | 2026-04-11 12:52:13 | Deep Dive |
| CVE-2026-2580 | WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters <= 4.9.1 - Unauthenticated SQL Injection via 'orderby' Parameter | flippercode | WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters | High | 7.5 | 2026-03-22 23:24:32 | Deep Dive |
| CVE-2026-4268 | WP Go Maps (formerly WP Google Maps) <= 10.0.05 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via admin_post_wpgmza_save_settings | wpgmaps | WP Go Maps (formerly WP Google Maps) | Medium | 6.4 | 2026-03-18 01:24:48 | Deep Dive |
| CVE-2026-3222 | WP Maps <= 4.9.1 - Unauthenticated SQL Injection via 'location_id' Parameter | flippercode | WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters | High | 7.5 | 2026-03-11 05:27:17 | Deep Dive |
| CVE-2025-69389 | WordPress Visitor Maps Extended Referer Field plugin <= 1.2.6 - Reflected Cross Site Scripting (XSS) vulnerability | Hugh Mungus | Visitor Maps Extended Referer Field | - | - | 2026-02-20 15:46:55 | Deep Dive |
| CVE-2025-12062 | WP Maps <= 4.8.6 - Authenticated (Subscriber+) Limited Local File Inclusion | flippercode | WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters | High | 8.8 | 2026-02-16 23:22:38 | Deep Dive |
| CVE-2026-0557 | WP Data Access <= 5.5.63 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpda_app' Shortcode | peterschulznl | WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards | Medium | 6.4 | 2026-02-14 06:42:30 | Deep Dive |
| CVE-2026-1730 | OS DataHub Maps <= 1.8.3 - Authenticated (Author+) Arbitrary File Upload | skirridsystems | OS DataHub Maps | High | 8.8 | 2026-02-03 07:31:24 | Deep Dive |
| CVE-2026-0593 | WP Go Maps (formerly WP Google Maps) <= 10.0.04 - Missing Authorization to Authenticated (Subscriber+) Map Engine Setting Modification | wpgmaps | WP Go Maps (formerly WP Google Maps) | Medium | 5.3 | 2026-01-24 16:25:52 | Deep Dive |
| CVE-2025-49045 | WordPress Super Interactive Maps plugin <= 2.3 - Reflected Cross Site Scripting (XSS) vulnerability | highwarden | Super Interactive Maps | High | 7.1 | 2026-01-22 16:51:42 | Deep Dive |
| CVE-2026-0563 | WP Google Street View (with 360° virtual tour) & Google maps + Local SEO <= 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpgsv_map' Shortcode | pagup | WP Google Street View (with 360° virtual tour) & Google maps + Local SEO | Medium | 6.4 | 2026-01-09 06:34:54 | Deep Dive |
| CVE-2025-67535 | WordPress WP Maps plugin <= 4.8.6 - PHP Object Injection vulnerability | Flipper Code - WordPress Development Company | WP Maps | Medium | 6.6 | 2025-12-09 14:14:04 | Deep Dive |
| CVE-2025-11868 | everviz <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting | everviz | everviz – Charts, Maps and Tables – Interactive and responsive | Medium | 6.4 | 2025-11-18 08:27:38 | Deep Dive |
| CVE-2025-11307 | WP Google Maps < 9.0.48 - Unauthenticated Stored XSS | Unknown | WP Go Maps (formerly WP Google Maps) | 中危 | - | 2025-11-11 06:00:07 | Deep Dive |
| CVE-2025-12662 | Coon Google Maps <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode | andrico | Coon Google Maps | Medium | 6.4 | 2025-11-11 03:30:52 | Deep Dive |
| CVE-2025-39465 | WordPress Advanced Google Maps plugin <= 5.8.4 - Broken Access Control vulnerability | flippercode | Advanced Google Maps | Medium | 4.3 | 2025-11-06 15:53:29 | Deep Dive |
| CVE-2025-62942 | WordPress WP Mapbox GL JS Maps plugin <= 3.0.1 - Cross Site Scripting (XSS) vulnerability | tempranova | WP Mapbox GL JS Maps | Medium | 6.5 | 2025-10-27 01:34:06 | Deep Dive |
| CVE-2025-11703 | WP Go Maps (formerly WP Google Maps) <= 9.0.48 - Unauthenticated Cache Poisoning | wpgmaps | WP Go Maps (formerly WP Google Maps) | Medium | 5.3 | 2025-10-18 06:42:46 | Deep Dive |