Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : June 25, 2026

CVE-2026-56011: MapPress Maps for WordPress <= 2.97.3 Unauthenticated Stored Cross-Site Scripting PoC, Patch Analysis & Rule

CVE ID CVE-2026-56011
Plugin mappress-google-maps-for-wordpress
Severity High (CVSS 7.2)
CWE 79
Vulnerable Version 2.97.3
Patched Version 2.97.4
Disclosed June 18, 2026

Analysis Overview

{
“analysis”: “Atomic Edge analysis of CVE-2026-56011:nMapPress Maps for WordPress version 2.97.3 and earlier contains a stored cross-site scripting vulnerability in its map rendering functionality. The vulnerability stems from insufficient output escaping in the mappress_map.php file, allowing unauthenticated attackers to inject arbitrary HTML and JavaScript into map shortcode output.nnThe root cause lies in the `to_html()` method of the Mappress_Map class in `/mappress-google-maps-for-wordpress/mappress_map.php`. At line 59, the `name` parameter is interpolated directly into an HTML attribute without escaping. The parameter originates from the `$vars` array passed to the method, which processes shortcode attributes like `[mappress name=”malicious”]`. The original code `return “

\r\n<mappress-map id={$name} …` places user-supplied input directly into the `id` attribute value without quotes or escaping.nnExploitation requires no authentication. An attacker submits a WordPress post or page containing a MapPress shortcode with a crafted `name` parameter. For example: `[mappress name=" onfocus=alert(1) autofocus=]`. This payload breaks out of the `id` attribute context, injecting arbitrary event handlers. When any user views the infected post, the script executes in their browser session.nnThe patch in version 2.97.4 wraps the `name` parameter with `esc_attr()` and encloses it in double quotes within the HTML attribute. The changed line `return "

\r\n”` now properly sanitizes the value, preventing attribute injection. Before the patch, the raw value was output without any escaping or quotation.nnSuccessful exploitation allows an attacker to execute arbitrary JavaScript in the context of any user viewing the affected page. This leads to session hijacking, cookie theft, phishing redirections, and defacement. Because the attack requires no authentication, any unauthenticated user posting a shortcode to a WordPress site with comments enabled or via any user-submission mechanism amplifies the risk.,
“poc_php”: “<?phpn// Atomic Edge CVE Research – Proof of Conceptn// CVE-2026-56011 – MapPress Maps for WordPress 1, // Target post IDn ‘comment_content’ => $shortcode,n ‘author’ => ‘attacker’,n ’email’ => ‘attacker@example.com’,n);nn$ch = curl_init();ncurl_setopt($ch, CURLOPT_URL, $target_url);ncurl_setopt($ch, CURLOPT_POST, true);ncurl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($comment_data));ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);n$response = curl_exec($ch);ncurl_close($ch);necho $response;n*/nn// Note: Full weaponization depends on site configuration.n// The PoC demonstrates the core vulnerability: unsanitized shortcode attribute.n?>n”,
modsecurity_rule”: “# Atomic Edge WAF Rule – CVE-2026-56011n# Block XSS attempts via MapPress shortcode ‘name’ attribute injectionn# Targets unauthenticated stored XSS in mappress_map.phpnSecRule REQUEST_URI “@streq /wp-admin/admin-ajax.php” \n “id:20261994,phase:2,deny,status:403,chain,msg:’Atomic Edge – CVE-2026-56011 XSS via MapPress shortcode’,severity:’CRITICAL’,tag:’CVE-2026-56011′”n SecRule ARGS_POST:action “@streq mappress_shortcode” “chain”n SecRule ARGS_POST:name “@rx [“‘\\(){}]” \n “chain”n SecRule ARGS_POST:name “@rx on\w+\s*=”n”
}

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff 
--- a/mappress-google-maps-for-wordpress/mappress.php
+++ b/mappress-google-maps-for-wordpress/mappress.php
@@ -5,7 +5,7 @@
 Author URI: https://www.mappresspro.com
 Pro Update URI: https://www.mappresspro.com
 Description: MapPress makes it easy to add Google Maps and Leaflet Maps to WordPress
-Version: 2.97.3
+Version: 2.97.4
 Author: Chris Richardson
 Text Domain: mappress-google-maps-for-wordpress
 Thanks to all the translators and to Scott DeJonge for his wonderful icons
@@ -41,7 +41,7 @@
 }

 class Mappress {
-	const VERSION = '2.97.3';
+	const VERSION = '2.97.4';

 	static
 		$api,
--- a/mappress-google-maps-for-wordpress/mappress_map.php
+++ b/mappress-google-maps-for-wordpress/mappress_map.php
@@ -56,7 +56,7 @@
 		$name = (isset($vars['name']) ? $vars['name'] : 'noname');

 		// Extra div forces web component out of phrasing elements like <p>
-		return "<div></div>rn<mappress-map id={$name} {$atts}>rn$poisrn</mappress-map>rn";
+		return "<div></div>rn<mappress-map id="" . esc_attr($name) . "" {$atts}>rn$poisrn</mappress-map>rn";
 	}

 	function to_json() {

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School