CVE-2019-19134

medium

Description

The Hero Maps Premium plugin 2.2.1 and prior for WordPress is prone to unauthenticated XSS via the views/dashboard/index.php p parameter because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to inject HTML or arbitrary JavaScript within the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based tokens or to launch other attacks.

References

https://www.hooperlabs.xyz/disclosures/cve-2019-19134.php

https://wpvulndb.com/vulnerabilities/10095

https://heroplugins.com/product/maps/

https://heroplugins.com/changelogs/hmaps/changelog.txt

Details

Source: Mitre, NVD

Published: 2020-02-26

Updated: 2026-06-17

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.05651