CVE-2024-13306 – This vulnerability allows high-privilege WordPr... (How to Fix)

Q: What is the severity of CVE-2024-13306?

CVE-2024-13306 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows high-privilege WordPress users (like administrators) to inject malicious scripts into the Maps Plugin using Google Maps settings. The stored XSS payload executes when other users view affected pages, even in multisite setups where unfiltered_html is normally restricted. Only WordPress sites using vulnerable plugin versions are affected.

📋 TL;DR

This vulnerability allows high-privilege WordPress users (like administrators) to inject malicious scripts into the Maps Plugin using Google Maps settings. The stored XSS payload executes when other users view affected pages, even in multisite setups where unfiltered_html is normally restricted. Only WordPress sites using vulnerable plugin versions are affected.

💻 Affected Systems

Products:

Maps Plugin using Google Maps for WordPress

Versions: All versions before 1.9.4

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires high-privilege user access (admin or similar). Multisite installations are particularly affected as unfiltered_html restrictions don't prevent exploitation.

📦 What is this software?

Wp Google Map by Wpgooglemap

View all CVEs affecting Wp Google Map →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leading to full site takeover, data theft, or malware distribution to visitors.

🟠

Likely Case

Privileged user injects malicious scripts that steal session cookies or redirect users to phishing sites.

🟢

If Mitigated

Limited impact with proper user access controls and regular security monitoring.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin-level access. Attack would involve injecting JavaScript into plugin settings that executes when other users view affected pages.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.4

Vendor Advisory: https://wpscan.com/vulnerability/ec3096f2-60fd-4654-9e95-5cf4b20b2990/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Maps Plugin using Google Maps'. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.9.4+ from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Remove vulnerable plugin

all

Temporarily disable or remove the plugin until patched

wp plugin deactivate maps-plugin-using-google-maps
wp plugin delete maps-plugin-using-google-maps

Restrict admin access

all

Temporarily limit administrative access to trusted users only

🧯 If You Can't Patch

Implement strict user access controls and monitor admin activities
Deploy web application firewall with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is below 1.9.4, you are vulnerable.

Check Version:

wp plugin get maps-plugin-using-google-maps --field=version

Verify Fix Applied:

Confirm plugin version shows 1.9.4 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual plugin setting modifications by admin users
JavaScript injection patterns in plugin configuration

Network Indicators:

Suspicious outbound connections from admin pages
Unexpected script loading from plugin URLs

SIEM Query:

source="wordpress" AND (event="plugin_updated" OR event="option_updated") AND plugin="maps-plugin-using-google-maps"

📊 Metadata

CVE ID: CVE-2024-13306

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

CWE: CWE-79

EPSS Score: 0.03% exploit probability (7.3th percentile)

Published: February 15, 2025

Last Updated: May 14, 2025

🔗 References

https://wpscan.com/vulnerability/ec3096f2-60fd-4654-9e95-5cf4b20b2990/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13306, you might also want to check these: