The WordPress Google Map Professional plugin contains an SQL Injection vulnerability that allows attackers to supply unfiltered input that is incorporated into SQL statements. Because the plugin does not properly neutralize special characters, an attacker could read, modify, or delete data stored in the database. The impact is limited to database integrity and confidentiality; there is no evidence of direct code execution but the loss of data could be significant.

Vulnerable systems include any WordPress installation running the WordPress Google Map Professional plugin version 1.0 or earlier, identified in the vendor’s product list as pankajpragma WordPress Google Map Professional. The affected version range is from n/a through <=1.0, meaning all releases up to and including 1.0 are impacted.

The CVSS score of 8.5 denotes high severity, but the EPSS score of less than 1% indicates a very low estimated exploitation probability at the time of analysis. The plugin’s entry points are web-based, so the likely attack vector is through HTTP requests to the plugin’s endpoints; the exploit would require the ability to send SQL payloads through the plugin’s input parameters. The vulnerability is currently not listed in CISA’s KEV catalog. Security teams should treat it as high risk but acknowledge the low likelihood of active exploitation.