Description
The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 4.9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-03-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL injection leading to unauthorized data exfiltration
Action: Immediate Patch
AI Analysis

Impact

The vulnerability occurs when the plugin processes the 'orderby' parameter without proper escaping, allowing an attacker to inject arbitrary SQL statements. This flaw enables unauthenticated users to append malicious code to existing queries and extract confidential data from the WordPress database. The weakness corresponds to CWE-89, a classic SQL injection weakness that impacts confidentiality and potentially integrity of stored data.

Affected Systems

The affected product is the WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress, versions 4.9.1 and earlier. The plugin is maintained by FlipperCode. WordPress sites that have this plugin installed and did not upgrade beyond version 4.9.1 are vulnerable.

Risk and Exploitability

The CVSS base score is 7.5, indicating a high severity. Exploration of the vulnerability does not require prior authentication, implying that it can be exploited remotely by anyone who can send HTTP requests to the site. The EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog, but the high severity combined with the lack of authentication requirement suggests a significant risk of exploitation if the plugin remains at a vulnerable version. An attacker would typically issue a crafted request containing a malicious SQL payload in the 'orderby' parameter of a plugin function.

Generated by OpenCVE AI on March 23, 2026 at 03:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Maps plugin to the latest version that addresses the SQL injection flaw.
  • If an update is not immediately available, disable or remove the plugin until a patch is released.
  • Implement a web application firewall rule to block suspicious SQL injection attempts on the 'orderby' parameter.
  • Regularly review database access logs for signs of unauthorized SELECT or UNION queries that might indicate exploitation.

Generated by OpenCVE AI on March 23, 2026 at 03:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Flippercode
Flippercode google Map
Flippercode wp Maps – Store Locator,google Maps,openstreetmap,mapbox,listing,directory & Filters
Wordpress
Wordpress wordpress
Vendors & Products Flippercode
Flippercode google Map
Flippercode wp Maps – Store Locator,google Maps,openstreetmap,mapbox,listing,directory & Filters
Wordpress
Wordpress wordpress

Mon, 23 Mar 2026 01:45:00 +0000

Type Values Removed Values Added
Description The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 4.9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters <= 4.9.1 - Unauthenticated SQL Injection via 'orderby' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Flippercode Google Map Wp Maps – Store Locator,google Maps,openstreetmap,mapbox,listing,directory & Filters
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:06:12.447Z

Reserved: 2026-02-16T10:43:01.261Z

Link: CVE-2026-2580

cve-icon Vulnrichment

Updated: 2026-03-23T13:59:06.584Z

cve-icon NVD

Status : Deferred

Published: 2026-03-23T00:16:51.453

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-2580

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:50:20Z

Weaknesses