Description
Unauthenticated SQL Injection in WP Maps <= 4.9.1 versions.
Published: 2026-06-15
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated attacker can inject arbitrary SQL through insecure input handling in the WordPress WP Maps plugin, permitting manipulation of the underlying database. The flaw, identified as CWE‑89, could result in data exfiltration, modification, or deletion, thereby compromising the confidentiality, integrity, and availability of the site’s data assets.

Affected Systems

Vendors: Flipper Code – WordPress Development Company:WP Maps. Product: WordPress WP Maps plugin. Versions affected: 4.9.1 and any earlier releases.

Risk and Exploitability

The CVSS score of 9.3 marks this as a critical vulnerability. The EPSS score is less than 1 %, indicating a low likelihood of current exploitation, and the issue is not yet listed in the CISA KEV catalog. Likely attack vectors are direct web requests to the plugin’s endpoints, with no authentication required, meaning that any visitor to the site could potentially exploit the flaw.

Generated by OpenCVE AI on June 17, 2026 at 23:00 UTC.

Remediation

Vendor Solution

Update the WordPress WP Maps Plugin to the latest available version (at least 4.9.2).


OpenCVE Recommended Actions

  • Apply the latest WP Maps plugin update (4.9.2 or later).
  • If immediate update is not possible, disable or remove the plugin until the patch is applied to prevent exploitation.
  • After remediation, review database logs for any anomalous activity that may indicate past exploitation.

Generated by OpenCVE AI on June 17, 2026 at 23:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Flipper Code – Wordpress Development Company
Flipper Code – Wordpress Development Company wp Maps
Wordpress
Wordpress wordpress
Vendors & Products Flipper Code – Wordpress Development Company
Flipper Code – Wordpress Development Company wp Maps
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated SQL Injection in WP Maps <= 4.9.1 versions.
Title WordPress WP Maps plugin <= 4.9.1 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Flipper Code – Wordpress Development Company Wp Maps
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T17:11:53.493Z

Reserved: 2026-04-07T10:47:37.759Z

Link: CVE-2026-39492

cve-icon Vulnrichment

Updated: 2026-06-16T14:09:12.310Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:44.863

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-39492

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:07:55Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')