CVE-2021-36870: 
WordPress vulnerability analysis and mitigation

Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities were discovered in WordPress WP Google Maps plugin versions 8.1.12 and earlier. The vulnerability was assigned CVE-2021-36870 and was disclosed on June 15, 2021. The affected parameters include &datasetname, &wpgmzagdprretentionpurpose, &wpgmzagdprcompany_name, &name #2, &name, &polyname #2, &polyname, and &address (Patchstack Advisory).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue with a CVSS v3.1 Base Score of 5.4 (Medium) according to NVD, and 5.5 (Medium) according to Patchstack. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating that the vulnerability requires low attack complexity and user interaction, with limited confidentiality and integrity impact (NVD Database).

If exploited, this vulnerability could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website which would be executed when guests visit the site. Since this is an authenticated vulnerability, an attacker would need to have valid credentials to exploit it (Patchstack Advisory).

The vulnerability was fixed in version 8.1.13 of the WP Google Maps plugin. Users are advised to update to this version or later to remove the vulnerability (Patchstack Advisory).