Question 1

How do I know if my WP Go Maps plugin is vulnerable?

Accepted Answer

How do I know if my WP Go Maps plugin is vulnerable?

Your site is vulnerable if you are running any version of WP Go Maps up to and including 9.0.28. To check your version, log into your WordPress dashboard and click on Plugins from the left-hand menu. Then scroll through the list to find WP Go Maps and check which version is listed. If you see version 9.0.28 or earlier, you should immediately update.

Question 2

Is this vulnerability being actively exploited right now?

Accepted Answer

Is this vulnerability being actively exploited right now?

At the time of public disclosure on January 23rd, 2024, there was no evidence that this reflected cross-site scripting issue was being actively exploited in the wild. However, now that technical details are public, attackers may attempt to abuse the vulnerability against outdated WP Go Maps installations. So applying the patch should be considered very urgent.

Question 3

How serious is this vulnerability?

Accepted Answer

How serious is this vulnerability?

The vulnerability has a CVSS severity score of 6.1 out of 10, making it a medium severity flaw. While not as critical as remote code execution, the ability to run scripts cross-site via user interaction does pose security risks. Attackers may leverage it to steal credentials, extract sensitive site data, or spread malware. So while medium severity, it still represents a real threat that website owners need to address.

Question 4

Can my site get hacked just because I am vulnerable?

Accepted Answer

Can my site get hacked just because I am vulnerable?

The vulnerability requires a user to click on a specially crafted link for any attack to be triggered. However, through social engineering tactics like phishing emails, attackers can seek to fool users into clicking such malformed links. And from there, additional hacking activities may be possible. So keeping the plugin updated does add an important layer of protection.

Question 5

How urgent is it to update?

Accepted Answer

How urgent is it to update?

Updating WP Go Maps should be treated as an urgent priority. Now that the technical details are public, malicious hackers may quickly attempt to scan for vulnerable sites to attack. Each day without the patch increases the odds of compromise. Owners should apply the 9.0.29 patch right away.

Question 6

Will updating impact my maps?

Accepted Answer

Will updating impact my maps?

According to the plugin developer, updating to the latest fixed version will not disrupt existing maps or settings. It only applies a security patch to address this vulnerability. So patching is safe and seamless for properly configured installations. As always, having a current site backup is advised prior to any plugin updates just to be safe, however.

Question 7

How can users best stay on top of WordPress vulnerabilities?

Accepted Answer

How can users best stay on top of WordPress vulnerabilities?

Subscribing to publisher security mailing lists, monitoring public disclosure channels like CVE databases, and leveraging firewalls and security plugins that check for vulnerable software can help users better track risks and updates. Automating the update process is also advised so patches roll out quickly and easily. Staying vigilant takes work but is necessary.

Question 8

What other steps can I take to secure my WP site?

Accepted Answer

What other steps can I take to secure my WP site?

Some key fundamentals include hardening admin accounts with strong passwords, limiting and logging login attempts to block brute force attacks, minimizing unused plugins and limiting themes to reputable options, performing regular malware scans, and backing up site files and databases in case recovery is ever needed. Our blog covers additional ways to lock down sites.

Question 9

Should I consider alternatives to WP Go Maps?

Accepted Answer

Should I consider alternatives to WP Go Maps?

The quick response of the WP Go Maps team to address this vulnerability is reassuring. However, if you have concerns, alternative WordPress maps plugins are available. Be aware that alternatives may also contain vulnerabilities, so staying updated across all plugins in use on your site remains critical regardless. There is no 100% guaranteed solution - just best practices to encourage better security.

keep WordPress secure

WP Go Maps Vulnerability – Reflected Cross-Site Scripting – CVE-2023-6697 | WordPress Plugin Vulnerability Report

Recent Blog Posts

LiteSpeed Cache Vulnerability – Unauthenticated Sensitive Information Exposure via Log Files – CVE-2024-44000 | WordPress Plugin Vulnerability Report

Elementor Addon Elements Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Parameters – CVE-2024-4401, CVE-2024-7122 | WordPress Plugin Vulnerability Report

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid Vulnerability – Authenticated (Contributor+) Information Disclosure – CVE-2024-7418 | WordPress Plugin Vulnerability Report

Additional Resources

About Your WP Guy