Unauthenticated API Key Disclosure in WP Go Maps Plugin by WordPress
CVE-2023-6777

5.3MEDIUM

Key Information:

Vendor: Wordpress
Status: WP Go Maps (formerly WP Google Maps)
Vendor: CVE Published:; 9 April 2024

Summary

The WP Go Maps plugin for WordPress contains a vulnerability that allows unauthenticated users to access the developer's Google API key. This weakness exists in versions up to and including 9.0.34 as the plugin improperly exposes the API key in multiple plugin files. Although the security of individual sites relying on this plugin is not compromised, attackers may leverage this exposure to make excessive requests using the key, potentially depleting its usage quota. This could lead to the disruption of the map functionality provided by the plugin, thereby impacting user experience.

Affected Version(s)

WP Go Maps (formerly WP Google Maps) * <= 9.0.34

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 9, 2024
Vulnerability Reserved
Dec 13, 2023

Credit

Hassan Khan Yusufzai

Danish Tariq