CVE-2015-9308 – This CSRF vulnerability in the WP Google Map Pl... (How to Fix)

Q: What is the severity of CVE-2015-9308?

CVE-2015-9308 has a CVSS score of 8.8 (HIGH). This CSRF vulnerability in the WP Google Map Plugin for WordPress allows attackers to trick authenticated administrators into performing unauthorized actions like adding or modifying maps. It affects WordPress sites using vulnerable versions of this plugin.

📋 TL;DR

This CSRF vulnerability in the WP Google Map Plugin for WordPress allows attackers to trick authenticated administrators into performing unauthorized actions like adding or modifying maps. It affects WordPress sites using vulnerable versions of this plugin.

💻 Affected Systems

Products:

WP Google Map Plugin for WordPress

Versions: All versions before 2.3.10

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to trick authenticated admin into clicking malicious link while logged in.

📦 What is this software?

Wp Maps by Weplugins

View all CVEs affecting Wp Maps →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify or delete all maps, inject malicious content, or potentially chain with other vulnerabilities for site takeover.

🟠

Likely Case

Unauthorized map modifications, content injection, or defacement of map sections on affected sites.

🟢

If Mitigated

Limited impact with proper CSRF protections and admin authentication requirements.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

CSRF attacks are well-understood and easy to weaponize with basic web skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.10 and later

Vendor Advisory: https://wordpress.org/plugins/wp-google-map-plugin/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WP Google Map Plugin'. 4. Click 'Update Now' if available. 5. If not, download version 2.3.10+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate wp-google-map-plugin

CSRF Protection Middleware

all

Implement additional CSRF protection at web server or application level.

🧯 If You Can't Patch

Restrict admin access to trusted networks only.
Implement strict Content Security Policy (CSP) headers.

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins > Installed Plugins.

Check Version:

wp plugin get wp-google-map-plugin --field=version

Verify Fix Applied:

Confirm plugin version is 2.3.10 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Unusual map modification requests from unexpected IPs
CSRF token validation failures in plugin logs

Network Indicators:

POST requests to /wp-admin/admin.php?page=wpgmp_form_map without proper referrer headers

SIEM Query:

source="wordpress.log" AND "wpgmp_form_map" AND (NOT referer="*wp-admin*")

📊 Metadata

CVE ID: CVE-2015-9308

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: August 14, 2019

Last Updated: May 7, 2025

🔗 References

https://wordpress.org/plugins/wp-google-map-plugin/#developers Product,Release Notes
https://wpvulndb.com/vulnerabilities/9766 Third Party Advisory
https://wordpress.org/plugins/wp-google-map-plugin/#developers Product,Release Notes
https://wpvulndb.com/vulnerabilities/9766 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-9308, you might also want to check these: