Description
The WP Maps plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'location_id' parameter in all versions up to, and including, 4.9.1. This is due to the plugin's database abstraction layer (`FlipperCode_Model_Base::is_column()`) treating user input wrapped in backticks as column names, bypassing the `esc_sql()` escaping function. Additionally, the `wpgmp_ajax_call` AJAX handler (registered for unauthenticated users via `wp_ajax_nopriv`) allows calling arbitrary class methods including `wpgmp_return_final_capability`, which passes the unsanitized `location_id` GET parameter directly to a database query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-03-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection (Data Compromise)
Action: Patch
AI Analysis

Impact

Key detail from description: the WP Maps plugin for WordPress is vulnerable to time‑based blind SQL injection via the 'location_id' parameter in all versions up to and including 4.9.1. The flaw allows an unauthenticated attacker to inject additional SQL into existing queries, potentially extracting sensitive database contents. This is a direct instance of CWE-89 because it involves unsanitized user input being passed to a database query.

Affected Systems

Affected are installations of FlipperCode’s WP Maps – Store Locator plugin and its components (Google Maps, OpenStreetMap, Mapbox, Listing, Directory & Filters) running any version up to and including 4.9.1. The vulnerability is present in core files such as class.model.php and wp-google-map-plugin.php as shown in the provided references.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, while the EPSS score of less than 1 % suggests a relatively low likelihood of widespread exploitation at present. The vulnerability can be triggered without authentication through the 'wpgmp_ajax_call' AJAX endpoint, meaning an attacker can send crafted requests from any IP. Because the vulnerability allows extraction of proprietary data, it poses a significant threat to confidentiality and integrity of the WordPress database. The plugin is not listed in the CISA KEV catalog, so there are no known large‑scale exploits for this flaw yet, but its ease of exploitation warrants prompt mitigation.

Generated by OpenCVE AI on March 17, 2026 at 17:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor’s website or the WordPress plugin repository for an updated version of WP Maps that removes the vulnerable code.
  • If an update is not available, disable or restrict access to the 'wpgmp_ajax_call' AJAX endpoint so that only authenticated users can invoke it.
  • Limit the privileges of the database user used by WordPress to the minimum required for normal operation.
  • Monitor database and web server logs for unusual queries or failed login attempts that involve the 'location_id' parameter.
  • Apply general WordPress hardening measures, such as keeping all core files, themes, and plugins up to date, using a web application firewall to block SQL injection patterns, and restricting plugin installation to approved developers.

Generated by OpenCVE AI on March 17, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Flippercode
Flippercode wp Maps – Store Locator,google Maps,openstreetmap,mapbox,listing,directory & Filters
Wordpress
Wordpress wordpress
Vendors & Products Flippercode
Flippercode wp Maps – Store Locator,google Maps,openstreetmap,mapbox,listing,directory & Filters
Wordpress
Wordpress wordpress

Wed, 11 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The WP Maps plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'location_id' parameter in all versions up to, and including, 4.9.1. This is due to the plugin's database abstraction layer (`FlipperCode_Model_Base::is_column()`) treating user input wrapped in backticks as column names, bypassing the `esc_sql()` escaping function. Additionally, the `wpgmp_ajax_call` AJAX handler (registered for unauthenticated users via `wp_ajax_nopriv`) allows calling arbitrary class methods including `wpgmp_return_final_capability`, which passes the unsanitized `location_id` GET parameter directly to a database query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title WP Maps <= 4.9.1 - Unauthenticated SQL Injection via 'location_id' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Flippercode Wp Maps – Store Locator,google Maps,openstreetmap,mapbox,listing,directory & Filters
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-11T14:06:44.795Z

Reserved: 2026-02-25T18:31:35.132Z

Link: CVE-2026-3222

cve-icon Vulnrichment

Updated: 2026-03-11T14:06:10.663Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T06:17:14.777

Modified: 2026-03-11T13:52:47.683

Link: CVE-2026-3222

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:37:50Z

Weaknesses