Looked at the actual file and found that this is vulnerability mitigation by WP Go Maps. WordFence the URL and is now flagging it.
/**
* Mitigates a specific exploit vulnerability in version 9.0.30
*
* Note: This function addresses the exploit issue introduced in version 9.0.28, but we are reversing the effects in 9.0.30
Hi @flexer & @donniepeters,
Thank you both for bringing this to our attention. I can confirm that this is a false report, flagged by the URL being present in a mitigation function added in the last update (as mentioned by @flexer).
The mitigation function scans the marker data for the URL and removes it from the content to prevent the link from existing anywhere within our marker data.
We’re currently looking into ways to allow this to exist, without being flagged by WordFence, while remaining effective. However, I must reiterate the URL is only present as a security measure within our core code.
Hi again,
We’ve just deployed a new version which removes the blacklisted URL, while retaining the mitigation code. From our tests, this no longer causes the false-positive report from WordFence.
Thank you again for reporting the issue. 🙂