Description
The WP Go Maps WordPress plugin before 10.0.10 does not perform any approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to retrieve marker records that an administrator has not yet approved for public display, including any PII placed in the address and description fields and the marker's geographic coordinates.
Published: 2026-06-15
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Go Maps WordPress plugin versions earlier than 10.0.10 expose a public REST endpoint that retrieves a single marker record. The endpoint ignores the marker’s approval state, allowing any visitor to request details of markers that an administrator has not yet approved for public display. Because marker records may contain personally identifying information, such as full addresses and descriptive text, the flaw enables unauthorized disclosure of private data and potential location tracking of individuals.

Affected Systems

This vulnerability affects the WP Go Maps plugin for WordPress, specifically any installation running a version earlier than 10.0.10. The flaw exists in the plugin’s public single‑marker REST API, which is enabled by default for all sites using the plugin.

Risk and Exploitability

The CVSS score is 5.3, and the EPSS score is <1%; the issue is also not listed in the CISA KEV catalog. Attackers do not need credentials or special privileges to exploit the flaw – an unauthenticated user can request any marker ID and receive the data. Consequently, the exposure risk is high for any site that includes personal or sensitive content in markers and has the default REST endpoint accessible. The lack of any mitigation from the vendor beyond the upgrade path means that the vulnerability will remain exploitable until the plugin is updated.

Generated by OpenCVE AI on June 18, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Go Maps plugin to version 10.0.10 or later.
  • If an upgrade is not feasible immediately, limit access to the single‑marker REST endpoint, for example by configuring the site’s access control or firewall rules to block unauthenticated requests to the endpoint.
  • Review other REST API endpoints exposed by WordPress plugins to ensure they enforce proper approval or access controls, and apply patches or configuration changes as needed.

Generated by OpenCVE AI on June 18, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-284

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-284

Mon, 15 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp Go Maps
Wp Go Maps wp Go Maps
Vendors & Products Wordpress
Wordpress wordpress
Wp Go Maps
Wp Go Maps wp Go Maps

Mon, 15 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-284

Mon, 15 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Description The WP Go Maps WordPress plugin before 10.0.10 does not perform any approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to retrieve marker records that an administrator has not yet approved for public display, including any PII placed in the address and description fields and the marker's geographic coordinates.
Title WP Go Maps < 10.0.10 - Unauthenticated Sensitive Information Disclosure via Marker ID
References

Subscriptions

Wordpress Wordpress
Wp Go Maps Wp Go Maps
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-15T16:44:33.201Z

Reserved: 2026-05-12T11:26:42.916Z

Link: CVE-2026-8386

cve-icon Vulnrichment

Updated: 2026-06-15T16:39:23.826Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T08:16:22.007

Modified: 2026-06-15T20:50:47.973

Link: CVE-2026-8386

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T22:30:16Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-284

    Improper Access Control