Vulnerability DatabaseCVE-2023-6627

CVE-2023-6627:
WordPress vulnerability analysis and mitigation

Overview

The WP Go Maps (formerly WP Google Maps) WordPress plugin before version 9.0.28 contains a serious unauthenticated Stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-6627. The vulnerability was discovered and reported by security researcher Marc Montpas, and was publicly disclosed on December 12, 2023. The issue stems from improper protection of REST API routes, which allows attackers to store malicious HTML/Javascript on affected sites without requiring authentication (WPScan Blog).

Technical details

The vulnerability exists due to improper protection of REST API routes and logic bugs around decoding HTML entities in already sanitized HTML user content. The issue received a CVSS v3.1 base score of 6.1 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The flaw allows attackers to bypass capability checks that would normally occur based on the HTTP method used, by exploiting the flexibility in WordPress REST API that allows users to specify both route and HTTP method through alternative means (NVD, WPScan Blog).

Impact

When successfully exploited, this vulnerability enables attackers to perform any action that a logged-in administrator is authorized to do on the targeted site. This includes critical actions such as installing arbitrary plugins and creating new rogue Administrator users. The vulnerability affects all versions of the plugin prior to 9.0.28 (WPScan Blog).

Mitigation and workarounds

The vulnerability has been fixed in version 9.0.28 of the WP Go Maps plugin. Site administrators are strongly advised to update to this version or later to protect against this security issue. No alternative workarounds have been published (WPScan Blog).

Community reactions

The vulnerability was responsibly disclosed to the WP Go Maps team on December 8, 2023. The team confirmed reception of the report on December 9, 2023, and promptly released a patch on December 12, 2023, demonstrating a quick response to the security issue (WPScan Blog).

Additional resources

Source: This report was generated using AI

Related WordPress vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-14001	MEDIUM	5.4	WordPress	wp-duplicate-page	No	Yes	Jan 13, 2026
CVE-2025-14579	MEDIUM	4.8	WordPress	quiz-maker	No	Yes	Jan 12, 2026
CVE-2025-13393	MEDIUM	4.3	WordPress	featured-image-from-url	No	Yes	Jan 10, 2026
CVE-2025-14829	N/A	N/A	WordPress	e-xact-hosted-payment	No	No	Jan 13, 2026
CVE-2025-10915	N/A	N/A	WordPress	dreamer-blog	No	No	Jan 13, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2023-6627: WordPress vulnerability analysis and mitigation