CVE-2026-12238 - Vulnerability Details

Description

The WP Go Maps – Most Popular Map Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 10.1.01. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to create arbitrary records in plugin database tables (maps, markers, circles, polygons, polylines, rectangles, and point labels) by supplying a WPGMZA-namespaced CRUD-backed class name via the phpClass parameter. The namespace validation check (requiring the 'WPGMZA' prefix) does not prevent exploitation because classes such as WPGMZA\Map and WPGMZA\Marker satisfy it while still triggering an INSERT into the corresponding plugin table before the route rejects the request.

Published: 2026-06-19

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

WP Go Maps – Most Popular Map Plugin for WordPress suffers from an authorization bypass that allows anyone without authentication to create entries in any of the plugin’s database tables, including maps, markers, circles, polygons, polylines, rectangles, and point labels. The flaw originates from an inadequate verification of the phpClass parameter, which accepts classes prefixed with "WPGMZA" (such as WPGMZA\Map or WPGMZA\Marker). When a request contains a valid class name, the plugin performs an INSERT into the corresponding table before rejecting the request for lack of permission, thus enabling unprivileged data injection.

Affected Systems

All WordPress installations that have the WP Go Maps plugin version 10.1.01 or earlier are affected. The vulnerability impacts sites that rely on this plugin for displaying Google Maps, OpenStreetMap, or Leaflet overlays and expose the plugin’s REST API to the public network.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, but the exploit is straightforward for an attacker with network access to the WordPress site. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by sending a crafted REST API request that includes a phpClass parameter pointing to a valid WPGMZA class; the plugin will then create a new database record before denying the request, thus bypassing authentication controls.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

wpgmaps

WP Go Maps – Google Map, OpenStreetMap, Leaflet Map

unaffected

Version	Status	Constraints
`0`	affected	≤ 10.1.01

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade WP Go Maps to a version newer than 10.1.01 to remove the authorization check flaw.
If an upgrade cannot be performed immediately, restrict unauthenticated access to the plugin’s REST API by configuring role‑based permissions or by using a security plugin to block the affected endpoints.
Add an application‑level rule to reject or strip the phpClass parameter from incoming REST requests, preventing the premature INSERT operation.
Consider disabling the plugin’s REST API routes entirely if the map functionality is not required, to eliminate the attack surface.

Generated by OpenCVE AI on June 19, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/wp-google-maps/tags/10.0.10/includes/class.rest-api.php#L1052
https://www.wordfence.com/threat-intel/vulnerabilities/id/c51c6cfb-9a79-4190-87ff-7eddb866ae56?source=cve

History

Fri, 19 Jun 2026 18:45:00 +0000

Type	Values Removed	Values Added
Description		The WP Go Maps – Most Popular Map Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 10.1.01. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to create arbitrary records in plugin database tables (maps, markers, circles, polygons, polylines, rectangles, and point labels) by supplying a WPGMZA-namespaced CRUD-backed class name via the phpClass parameter. The namespace validation check (requiring the 'WPGMZA' prefix) does not prevent exploitation because classes such as WPGMZA\Map and WPGMZA\Marker satisfy it while still triggering an INSERT into the corresponding plugin table before the route rejects the request.
Title		WP Go Maps <= 10.1.01 - Unauthenticated Arbitrary Record Creation
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/wp-google-maps/tags/10.0.10/includes/class.rest-api.php#L1052 https://www.wordfence.com/threat-intel/vulnerabilities/id/c51c6cfb-9a79-4190-87ff-7eddb866ae56?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-19T18:32:05.833Z

Updated: 2026-06-19T18:32:05.833Z

Reserved: 2026-06-15T03:44:18.959Z

Link: CVE-2026-12238

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-19T20:30:04Z

Weaknesses

CWE-862
Missing Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object