Impact
An unauthenticated attacker can inject arbitrary SQL through insecure input handling in the WordPress WP Maps plugin, permitting manipulation of the underlying database. The flaw, identified as CWE‑89, could result in data exfiltration, modification, or deletion, thereby compromising the confidentiality, integrity, and availability of the site’s data assets.
Affected Systems
Vendors: Flipper Code – WordPress Development Company:WP Maps. Product: WordPress WP Maps plugin. Versions affected: 4.9.1 and any earlier releases.
Risk and Exploitability
The CVSS score of 9.3 marks this as a critical vulnerability. The EPSS score is less than 1 %, indicating a low likelihood of current exploitation, and the issue is not yet listed in the CISA KEV catalog. Likely attack vectors are direct web requests to the plugin’s endpoints, with no authentication required, meaning that any visitor to the site could potentially exploit the flaw.
OpenCVE Enrichment