Description
The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8.6 via the fc_load_template function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .html files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .html file types can be uploaded and included.
Published: 2026-02-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The WP Maps plugin contains a local file inclusion flaw in its fc_load_template function. Authenticated users with Subscriber privileges or higher can supply a path to an arbitrary .html file that the server will include. Because .html files may contain PHP code, the attacker can execute arbitrary PHP, effectively enabling remote code execution and the ability to bypass access controls and access sensitive data.

Affected Systems

All installations of the WP Maps – Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory & Filters plugin for WordPress up to and including version 4.8.6 are affected. The plugin is maintained by flippercode. Upgrading to any version newer than 4.8.6 removes this vulnerability.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. The EPSS score is less than 1 %, suggesting low observed exploitation probability at this moment, and the vulnerability is not listed in CISA’s KEV catalog. The attack requires an authenticated account with Subscriber privileges or higher and the ability to upload or otherwise place an executable .html file on the server. Once such a file exists, the attacker can trigger fc_load_template to include the file, leading to code execution. The limited local file inclusion nature means the vulnerability is not exploitable remotely by unauthenticated users.

Generated by OpenCVE AI on April 22, 2026 at 12:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Maps plugin to the latest official release (greater than version 4.8.6) to eliminate the local file inclusion flaw.
  • If an upgrade is not immediately possible, configure WordPress or the plugin to disallow uploading of .html files or enforce strict file type validation to prevent execution of PHP code.
  • Review the plugin's upload directories for existing .html files, remove any that contain or could contain PHP code, and set appropriate file permissions to prevent unintended execution.

Generated by OpenCVE AI on April 22, 2026 at 12:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Feb 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Flippercode
Flippercode wp Maps – Store Locator,google Maps,openstreetmap,mapbox,listing,directory & Filters
Wordpress
Wordpress wordpress
Vendors & Products Flippercode
Flippercode wp Maps – Store Locator,google Maps,openstreetmap,mapbox,listing,directory & Filters
Wordpress
Wordpress wordpress

Mon, 16 Feb 2026 23:45:00 +0000

Type Values Removed Values Added
Description The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8.6 via the fc_load_template function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .html files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .html file types can be uploaded and included.
Title WP Maps <= 4.8.6 - Authenticated (Subscriber+) Limited Local File Inclusion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Flippercode Wp Maps – Store Locator,google Maps,openstreetmap,mapbox,listing,directory & Filters
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:03:44.114Z

Reserved: 2025-10-22T12:09:20.000Z

Link: CVE-2025-12062

cve-icon Vulnrichment

Updated: 2026-02-17T14:40:40.572Z

cve-icon NVD

Status : Deferred

Published: 2026-02-17T00:16:17.080

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12062

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:15:16Z

Weaknesses