CVE-2026-13335 codepeople CVE debrief

Who should care

Administrators and users of the CodePeople Post Map for Google Maps plugin for WordPress should be aware of this vulnerability and take steps to mitigate it. This vulnerability can allow attackers to inject malicious scripts, potentially leading to unauthorized actions or data breaches. Users with Contributor-level access and above are at risk of being exploited.

Technical summary

The CodePeople Post Map for Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'cpm_point' Post Meta. This vulnerability exists due to insufficient input sanitization and output escaping. An attacker with Contributor-level access or higher can inject arbitrary web scripts, which will be executed when a user accesses the injected page. The vulnerability's CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating a Medium severity with a score of 6.4.

Defensive priority

This vulnerability should be prioritized for remediation due to its Medium severity and the potential for authenticated attackers to inject malicious scripts. Administrators should update the plugin to a patched version as soon as possible.

Recommended defensive actions

• Update the CodePeople Post Map for Google Maps plugin to a version beyond 1.2.6.
• Limit Contributor-level access and above to only trusted users.
• Monitor for suspicious activity and injected scripts.
• Implement additional security measures such as Web Application Firewalls (WAFs) to detect and prevent XSS attacks.
• Regularly review and update plugins and themes to ensure they are up-to-date and patched.

Evidence notes

The CVE-2026-13335 record was obtained from the National Vulnerability Database (NVD) and provides details on the vulnerability, including its CVSS score and severity. The vulnerability was reported by [email protected] and has several references to code locations in the plugin.

Official resources