CVE-2024-29931 – This vulnerability allows attackers to inject m... (How to Fix)

Q: What is the severity of CVE-2024-29931?

CVE-2024-29931 has a CVSS score of 7.1 (HIGH). This vulnerability allows attackers to inject malicious scripts into web pages generated by the WP Go Maps WordPress plugin. When a user visits a specially crafted URL, the script executes in their browser, potentially stealing session cookies or performing actions on their behalf. All WordPress sites using vulnerable versions of the WP Go Maps plugin are affected.

📋 TL;DR

This vulnerability allows attackers to inject malicious scripts into web pages generated by the WP Go Maps WordPress plugin. When a user visits a specially crafted URL, the script executes in their browser, potentially stealing session cookies or performing actions on their behalf. All WordPress sites using vulnerable versions of the WP Go Maps plugin are affected.

💻 Affected Systems

Products:

WP Go Maps (formerly WP Google Maps) WordPress plugin

Versions: All versions up to and including 9.0.29

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the plugin's web page generation code and is exploitable whenever the plugin is active.

📦 What is this software?

Wp Go Maps by Codecabin

View all CVEs affecting Wp Go Maps →

Wp Go Maps by Codecabin

View all CVEs affecting Wp Go Maps →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full control of the WordPress site, install backdoors, deface the site, or steal sensitive user data.

🟠

Likely Case

Attackers steal user session cookies, redirect users to malicious sites, or perform limited actions within the user's context.

🟢

If Mitigated

With proper input validation and output encoding, the attack fails silently with no impact.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Reflected XSS typically requires user interaction (clicking a malicious link) but is straightforward to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.0.30 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/wp-google-maps/wordpress-wp-go-maps-plugin-9-0-29-reflected-cross-site-scripting-xss-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Go Maps. 4. Click 'Update Now' if available. 5. Alternatively, download version 9.0.30+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Disable WP Go Maps plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate wp-google-maps

🧯 If You Can't Patch

Implement a Web Application Firewall (WAF) with XSS protection rules.
Restrict plugin access to trusted users only using WordPress role management.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Installed Plugins for WP Go Maps version. If version is 9.0.29 or lower, it is vulnerable.

Check Version:

wp plugin get wp-google-maps --field=version

Verify Fix Applied:

After updating, verify the plugin version shows 9.0.30 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

Unusual GET/POST requests containing script tags or JavaScript in URL parameters to WP Go Maps endpoints.
Multiple failed XSS attempts in web server logs.

Network Indicators:

HTTP requests with suspicious parameters like <script>alert()</script> in URLs.

SIEM Query:

source="web_logs" AND (url="*wp-google-maps*" AND (url="*<script>*" OR url="*javascript:*"))

📊 Metadata

CVE ID: CVE-2024-29931

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

Published: March 27, 2024

Last Updated: February 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29931, you might also want to check these: