CVE-2024-5219 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Easy Google Maps plugin for WordPress, developed by supsysticcom. The flaw exists due to improper neutralization of input during web page generation (CWE-79), specifically within the plugin's file upload feature. All versions up to and including 1.11.15 are affected. Authenticated users with Author-level permissions or higher can upload files containing malicious scripts that are not properly sanitized or escaped before being rendered on pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing actions on behalf of victims. The vulnerability is remotely exploitable over the network (AV:N), requires low attack complexity (AC:L), and privileges at the Author level (PR:L), but no user interaction (UI:N) is needed. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges, and it impacts confidentiality and integrity (C:L/I:L) but not availability (A:N). No patches or known exploits are currently available, but the risk is significant for multi-author WordPress sites using this plugin. The vulnerability was published on July 2, 2024, and assigned a CVSS v3.1 score of 6.4, indicating medium severity.

This vulnerability allows authenticated users with Author-level access to inject persistent malicious scripts into web pages, which execute in the context of any user viewing those pages. The impact includes potential theft of session cookies, enabling account takeover, unauthorized actions performed on behalf of users, defacement, or distribution of malware. For organizations, this can lead to compromised user accounts, loss of trust, data leakage, and reputational damage. Since WordPress powers a significant portion of the web and Easy Google Maps is a popular plugin, many websites—especially those with multiple content contributors—are at risk. Attackers exploiting this vulnerability could escalate privileges or pivot to further internal attacks. The lack of required user interaction increases the risk of widespread exploitation once the vulnerability is known. However, the requirement for authenticated access limits exposure primarily to sites with multiple users or where attackers can obtain credentials.

Organizations should immediately verify if they use the Easy Google Maps plugin and identify the version installed. Since no official patch is currently available, administrators should consider temporarily disabling or uninstalling the plugin to eliminate the attack vector. Restrict Author-level permissions to trusted users only and audit user roles to minimize risk. Implement Web Application Firewall (WAF) rules to detect and block suspicious file uploads or script injections related to this plugin. Monitor logs for unusual activity or unexpected file uploads. Educate content authors about the risks of uploading untrusted files. Once a patch is released, promptly apply it. Additionally, consider deploying Content Security Policy (CSP) headers to mitigate the impact of injected scripts and use security plugins that provide XSS protection. Regularly back up website data to enable recovery if an attack occurs.