Description
Deserialization of Untrusted Data vulnerability in Flipper Code - WordPress Development Company WP Maps wp-google-map-plugin allows Object Injection.This issue affects WP Maps: from n/a through <= 4.8.6.
Published: 2025-12-09
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Maps plugin in WordPress performs deserialization of untrusted data, leading to PHP object injection. An attacker who can supply crafted serialized content—such as via a request parameter or form field—can instantiate arbitrary PHP objects, potentially executing code on the server. This results in compromise of the website’s confidentiality, integrity, and availability and may grant the attacker full control of the site as the website owner. The weakness is identified as CWE‑502.

Affected Systems

This issue affects the Flipper Code WordPress Development Company’s WP Maps plugin (wp‑google‑map‑plugin) up to and including version 4.8.6. No other vendors or versions are currently listed as vulnerable.

Risk and Exploitability

The CVSS score of 6.6 indicates moderate severity, while the EPSS rating of less than 1 % suggests a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, implying there are no known large‑scale attacks. The likely attack vector is HTTP requests that contain malicious serialized data directed at the plugin’s input endpoints. Without a patch or proper validation, the flaw provides a pathway for remote code execution.

Generated by OpenCVE AI on April 29, 2026 at 19:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Maps plugin to the latest version (≥4.8.7) where the deserialization issue has been fixed.
  • If an immediate update is not possible, disable the plugin or remove all pages that use it to eliminate the injection vector.
  • Configure a Web Application Firewall or input sanitisation rules to block requests containing PHP serialized data.

Generated by OpenCVE AI on April 29, 2026 at 19:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in WePlugins - WordPress Development Company WP Maps wp-google-map-plugin allows Object Injection.This issue affects WP Maps: from n/a through <= 4.8.6. Deserialization of Untrusted Data vulnerability in Flipper Code - WordPress Development Company WP Maps wp-google-map-plugin allows Object Injection.This issue affects WP Maps: from n/a through <= 4.8.6.

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Weplugins
Weplugins wp Maps
Wordpress
Wordpress wordpress
Vendors & Products Weplugins
Weplugins wp Maps
Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 14:30:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in WePlugins - WordPress Development Company WP Maps wp-google-map-plugin allows Object Injection.This issue affects WP Maps: from n/a through <= 4.8.6.
Title WordPress WP Maps plugin <= 4.8.6 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Weplugins Wp Maps
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:20.157Z

Reserved: 2025-12-09T12:21:12.169Z

Link: CVE-2025-67535

cve-icon Vulnrichment

Updated: 2025-12-09T17:19:17.977Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:28.453

Modified: 2026-04-27T18:16:42.393

Link: CVE-2025-67535

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T19:45:18Z

Weaknesses