Description
The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perform Local File Inclusion attacks.
Published: 2026-05-18
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows authenticated users to include arbitrary files via a parameter that is not properly sanitized before being used in a file path. The lack of input validation means a malicious user could read sensitive files from the server, potentially exposing configuration data, passwords, or other confidential information. The weakness is a classic insecure file inclusion flaw that compromises information confidentiality, but does not directly enable code execution.

Affected Systems

The affected software is the WP Maps WordPress plugin for all versions before 4.9.3. The vendor is WP Maps. Users who have an authenticated account with Subscriber+ privileges are able to trigger the vulnerability. No specific sub‑versions are listed; any install of WP Maps earlier than 4.9.3 is potentially vulnerable.

Risk and Exploitability

Because the flaw is limited to authenticated users, an attacker must first obtain valid credentials on the WordPress site. No public exploit information or KEV listing is available, and EPSS data is not provided, so the current exploitation probability is uncertain but likely low. The attack vector is inferred to be a local file inclusion request sent by an authenticated user; an attacker could construct requests that include a path traversal payload to read files from the server. If the site hosts sensitive files outside the web root, they could be exposed.

Generated by OpenCVE AI on May 18, 2026 at 07:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Maps plugin to version 4.9.3 or later, which contains input validation for the file path parameter.
  • If an upgrade cannot be applied immediately, configure the web server or use WordPress security plugins to block or sanitize any file inclusion requests that involve path traversal or reduce the privileges of the Subscriber+ role so that users cannot trigger the vulnerable endpoint.
  • Implement a web application firewall rule that rejects requests containing directory traversal patterns (e.g., "../") and enforce strict file type restrictions on any user‑supplied file path parameters.

Generated by OpenCVE AI on May 18, 2026 at 07:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp Maps
Wp Maps wp Maps
Vendors & Products Wordpress
Wordpress wordpress
Wp Maps
Wp Maps wp Maps

Mon, 18 May 2026 07:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-22

Mon, 18 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perform Local File Inclusion attacks.
Title WP Maps < 4.9.3 - Subscriber+ Local File Inclusion
References

Subscriptions

Wordpress Wordpress
Wp Maps Wp Maps
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-05-18T06:00:08.784Z

Reserved: 2026-04-15T17:43:49.889Z

Link: CVE-2026-6381

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-18T07:16:12.710

Modified: 2026-05-18T07:16:12.710

Link: CVE-2026-6381

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T10:48:53Z

Weaknesses