Unauthenticated API Key Disclosure in WP Go Maps Plugin by WordPress
CVE-2023-6777

6.5MEDIUM

Key Information:

Vendor: Wordpress
Status: WP Go Maps (formerly WP Google Maps)
Vendor: CVE Published:; 9 April 2024

What is CVE-2023-6777?

The WP Go Maps plugin for WordPress contains a vulnerability that allows unauthenticated users to access the developer's Google API key. This weakness exists in versions up to and including 9.0.34 as the plugin improperly exposes the API key in multiple plugin files. Although the security of individual sites relying on this plugin is not compromised, attackers may leverage this exposure to make excessive requests using the key, potentially depleting its usage quota. This could lead to the disruption of the map functionality provided by the plugin, thereby impacting user experience.

Affected Version(s)

WP Go Maps (formerly WP Google Maps) * <= 9.0.34

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2024
Vulnerability Reserved
Dec 13, 2023

Credit

Hassan Khan Yusufzai

Danish Tariq

Wordpress

What is CVE-2023-6777?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit