CVE-2023-6777

MEDIUM EPSS 51.8%
Published Apr 9, 20242y ago · Modified Jun 17, 20261w ago
6.5 CVSS 3.1
Medium
Find Similar
Published Apr 9, 2024 2y ago
Last Modified Jun 17, 2026 1w ago

Description

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to unauthenticated API key disclosure in versions up to, and including, 9.0.34 due to the plugin adding the API key to several plugin files. This makes it possible for unauthenticated attackers to obtain the developer's Google API key. While this does not affect the security of sites using this plugin, it allows unauthenticated attackers to make requests using this API key with the potential of exhausting requests resulting in an inability to use the map functionality offered by the plugin.

CVSS Details

Base Score
6.5
Exploitability
3.9
Impact
2.5
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity None
Availability Low

Threat Intelligence

EPSS Exploit Probability
51.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure

Affected Products 2

VendorProductVersionRange
codecabinwp_go_maps* <9.0.35
codecabinwp_go_maps* <9.0.35

References 2

  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3058300%40wp-google-maps&new=3058300%40wp-google-maps&sfp_email=&sfph_mail=#file673
    Patch
  • wordfence.com https://www.wordfence.com/threat-intel/vulnerabilities/id/509cccbd-3aa0-45f1-84a0-387d678ebf65?source=cve
    Third Party Advisory

Remediation

  • plugins.trac.wordpress.org https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3058300%40wp-google-maps&new=3058300%40wp-google-maps&sfp_email=&sfph_mail=#file673
    Patch