CVE-2021-39346: 
WordPress vulnerability analysis and mitigation

The Google Maps Easy WordPress plugin (versions up to and including 1.9.33) contains a Stored Cross-Site Scripting vulnerability (CVE-2021-39346). The vulnerability exists due to insufficient input validation and sanitization in several parameters within the ~/modules/marker_groups/views/tpl/mgrEditMarkerGroup.php file. This security issue specifically affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled (MITRE CVE, NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The issue stems from improper neutralization of input during web page generation (CWE-79). The vulnerability requires an attacker to have administrative user access to exploit, allowing them to inject arbitrary web scripts through various parameters in the marker groups management interface (Wordfence Advisory).

When successfully exploited, this vulnerability allows attackers with administrative access to inject arbitrary web scripts into the application. The impact is particularly significant in multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled, potentially leading to stored cross-site scripting attacks (NVD).

A patch has been released to address this vulnerability. Users should upgrade to a version newer than 1.9.33 to mitigate this security risk. The fix can be found in the WordPress plugin repository (WordPress Patch).