Description
The WP Go Maps WordPress plugin before 10.0.10 does not properly enforce the marker approval filter on the admin-ajax fallback for its datatables route, allowing unauthenticated visitors to retrieve marker records that the site owner has not approved for public display, including their title, category, address and description fields.
Published: 2026-06-15
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Go Maps plugin for WordPress stores marker data that can be configured as private unless approved by the site owner. Prior to version 10.0.10 the admin‑ajax fallback for the datatables route does not enforce the approval filter, so any visitor can hit the endpoint and receive the full set of marker records. The exposed data includes the marker title, category, address and description, which may contain location or other sensitive information. Because the data is disclosed without authentication or authorization, the impact is primarily a confidentiality breach – an attacker can gather private map entries and gain insight into site content or user activity.

Affected Systems

WP Go Maps plugin versions prior to 10.0.10 are vulnerable. The CVE data does not specify a minimum version, so any installation of 10.0.9 or earlier is potentially exposed.

Risk and Exploitability

The vulnerability can be exploited remotely via an unauthenticated HTTP request to the admin‑ajax.php endpoint that returns table data. No reliance on user interaction is required. The EPSS score is not available and no CVSS value is published, so beyond its information disclosure nature the severity remains undetermined. Since it is not listed in the CISA KEV catalog, it is not known to have widespread exploitation, yet the data leak itself could enable more targeted attacks or privacy violations.

Generated by OpenCVE AI on June 15, 2026 at 09:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Go Maps plugin to version 10.0.10 or later.
  • If an immediate upgrade is not possible, restrict non‑authenticated access to the plugin’s admin‑ajax.php datatables route, for example by adding a rule to your web server configuration that serves the endpoint only to requests that include a valid WordPress authentication cookie.
  • Remove or manually approve any markers that are not intended for public display, or disable marker visibility for unauthenticated visitors through the plugin settings until the update can be applied.

Generated by OpenCVE AI on June 15, 2026 at 09:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp Go Maps
Wp Go Maps wp Go Maps
Vendors & Products Wordpress
Wordpress wordpress
Wp Go Maps
Wp Go Maps wp Go Maps

Mon, 15 Jun 2026 10:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Mon, 15 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Description The WP Go Maps WordPress plugin before 10.0.10 does not properly enforce the marker approval filter on the admin-ajax fallback for its datatables route, allowing unauthenticated visitors to retrieve marker records that the site owner has not approved for public display, including their title, category, address and description fields.
Title WP Go Maps < 10.0.10 - Unauthenticated Sensitive Information Disclosure via Datatables AJAX Fallback
References

Subscriptions

Wordpress Wordpress
Wp Go Maps Wp Go Maps
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-15T06:00:01.881Z

Reserved: 2026-05-12T11:14:56.237Z

Link: CVE-2026-8385

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-15T08:16:21.013

Modified: 2026-06-15T08:16:21.013

Link: CVE-2026-8385

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T11:30:15Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor