Description
The WP Go Maps WordPress plugin before 10.0.10 does not perform any approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to retrieve marker records that an administrator has not yet approved for public display, including any PII placed in the address and description fields and the marker's geographic coordinates.
Published: 2026-06-15
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Go Maps WordPress plugin versions earlier than 10.0.10 expose a public REST endpoint that retrieves a single marker record. The endpoint ignores the marker’s approval state, allowing any visitor to request details of markers that an administrator has not yet approved for public display. Because marker records may contain personally identifying information, such as full addresses and descriptive text, the flaw enables unauthorized disclosure of private data and potential location tracking of individuals.

Affected Systems

This vulnerability affects the WP Go Maps plugin for WordPress, specifically any installation running a version earlier than 10.0.10. The flaw exists in the plugin’s public single‑marker REST API, which is enabled by default for all sites using the plugin.

Risk and Exploitability

No CVSS score is reported for this CVE, and no EPSS value is available; the issue is also not listed in the CISA KEV catalog. Attackers do not need credentials or special privileges to exploit the flaw – an unauthenticated user can request any marker ID and receive the data. Consequently, the exposure risk is high for any site that includes personal or sensitive content in markers and has the default REST endpoint accessible. The lack of any mitigation from the vendor beyond the upgrade path means that the vulnerability will remain exploitable until the plugin is updated.

Generated by OpenCVE AI on June 15, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Go Maps plugin to version 10.0.10 or later.
  • If an upgrade is not feasible immediately, limit access to the single‑marker REST endpoint, for example by configuring the site’s access control or firewall rules to block unauthenticated requests to the endpoint.
  • Review other REST API endpoints exposed by WordPress plugins to ensure they enforce proper approval or access controls, and apply patches or configuration changes as needed.

Generated by OpenCVE AI on June 15, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp Go Maps
Wp Go Maps wp Go Maps
Vendors & Products Wordpress
Wordpress wordpress
Wp Go Maps
Wp Go Maps wp Go Maps

Mon, 15 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-284

Mon, 15 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Description The WP Go Maps WordPress plugin before 10.0.10 does not perform any approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to retrieve marker records that an administrator has not yet approved for public display, including any PII placed in the address and description fields and the marker's geographic coordinates.
Title WP Go Maps < 10.0.10 - Unauthenticated Sensitive Information Disclosure via Marker ID
References

Subscriptions

Wordpress Wordpress
Wp Go Maps Wp Go Maps
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-15T06:00:02.121Z

Reserved: 2026-05-12T11:26:42.916Z

Link: CVE-2026-8386

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-15T08:16:22.007

Modified: 2026-06-15T08:16:22.007

Link: CVE-2026-8386

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T10:30:03Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-284

    Improper Access Control