The WP Google Maps plugin prior to 7.11.35 for WordPress allows XSS via the wp-admin/ rectangle_name or rectangle_opacity parameter.
codecabin wp go maps