CVE-2023-5128 in TCD Google Maps Plugininfo

Summary

by MITRE • 11/22/2023

The TCD Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'map' shortcode in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/11/2026

The TCD Google Maps plugin for WordPress presents a critical stored cross-site scripting vulnerability that affects versions up to and including 1.8. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's map shortcode implementation. The flaw specifically targets user-supplied attributes that are processed through the 'map' shortcode functionality, creating a persistent vector for malicious code injection that can compromise the integrity of the WordPress installation and its user base.

The technical exploitation of this vulnerability occurs when authenticated attackers with contributor-level permissions or higher manipulate the map shortcode parameters to inject malicious JavaScript code. These attackers can leverage their elevated privileges to modify plugin settings or content that gets rendered through the vulnerable shortcode, allowing them to store malicious scripts within the WordPress database. The stored nature of this XSS vulnerability means that the injected code persists and executes automatically whenever any user accesses pages containing the compromised shortcode, making it particularly dangerous for widespread impact.

From an operational perspective, this vulnerability creates significant risks for WordPress sites utilizing the TCD Google Maps plugin, as it allows attackers to execute arbitrary code in the context of users' browsers. The attack requires only contributor-level permissions, which is often accessible through compromised user accounts or social engineering attacks. Once exploited, attackers can potentially steal session cookies, redirect users to malicious sites, modify content, or perform actions on behalf of authenticated users, effectively compromising the entire WordPress installation's security posture.

The vulnerability aligns with CWE-79 which categorizes cross-site scripting flaws as weaknesses in input validation and output escaping. This weakness specifically manifests as a stored XSS vulnerability that operates through user-supplied input that is not properly sanitized before being rendered in web pages. The ATT&CK framework would classify this as a technique involving code injection and privilege escalation, where the initial compromise occurs through the contributor role and escalates to full session hijacking capabilities. The attack vector follows the pattern of exploiting web application vulnerabilities to execute malicious code in the victim's browser context.

Mitigation strategies for this vulnerability should prioritize immediate plugin updates to versions that address the XSS flaw through proper input sanitization and output escaping mechanisms. Organizations should implement strict role-based access controls to limit contributor privileges and regularly audit user permissions to prevent unauthorized access to plugin configuration areas. Additionally, implementing Content Security Policy headers and regular security scanning of WordPress installations can provide additional defense layers against similar vulnerabilities. The remediation process should also include monitoring for suspicious plugin modifications and conducting thorough security assessments of all installed plugins to identify potential similar weaknesses in the WordPress ecosystem.

Reservation

09/22/2023

Disclosure

11/22/2023

Moderation

accepted

CPE

ready

EPSS

0.00545

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!