CVE-2019-19134: 
WordPress vulnerability analysis and mitigation

The Hero Maps Premium WordPress plugin version 2.2.1 and prior contained an unauthenticated reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2019-19134. The vulnerability was discovered in the views/dashboard/index.php file where the 'p' parameter was not properly sanitized, allowing attackers to inject malicious JavaScript code. The issue was patched in version 2.2.3 released on February 25, 2020 (Hooper Labs, Plugin Changelog).

The vulnerability exists due to insufficient sanitization of user-supplied input in the 'p' parameter within the views/dashboard/index.php file. When the parameter value is processed, it is returned within the page as HTML or JavaScript without proper encoding. The vulnerability has a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

An attacker could leverage this vulnerability to execute arbitrary JavaScript code in the browser of an unsuspecting user in the context of the affected site. This could potentially allow the attacker to steal cookie-based authentication credentials or launch other attacks against site users (Hooper Labs).

Users should upgrade to Hero Maps Premium version 2.2.3 or later, which includes a patch for this vulnerability. The fix was implemented by properly sanitizing the 'p' parameter input (Plugin Changelog).