FKIE_CVE-2026-3222

Vulnerability from fkie_nvd - Published: 2026-03-11 06:17 - Updated: 2026-04-22 21:27
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
The WP Maps plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'location_id' parameter in all versions up to, and including, 4.9.1. This is due to the plugin's database abstraction layer (`FlipperCode_Model_Base::is_column()`) treating user input wrapped in backticks as column names, bypassing the `esc_sql()` escaping function. Additionally, the `wpgmp_ajax_call` AJAX handler (registered for unauthenticated users via `wp_ajax_nopriv`) allows calling arbitrary class methods including `wpgmp_return_final_capability`, which passes the unsanitized `location_id` GET parameter directly to a database query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/wp-google-map-plugin/tags/4.9.1/core/class.model.php#L328
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/wp-google-map-plugin/tags/4.9.1/wp-google-map-plugin.php#L250
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/wp-google-map-plugin/tags/4.9.1/wp-google-map-plugin.php#L590
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/wp-google-map-plugin/trunk/core/class.model.php#L328
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/wp-google-map-plugin/trunk/wp-google-map-plugin.php#L250
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/wp-google-map-plugin/trunk/wp-google-map-plugin.php#L590
security@wordfence.comhttps://plugins.trac.wordpress.org/changeset/3475665/wp-google-map-plugin/trunk/core/class.model.php
security@wordfence.comhttps://plugins.trac.wordpress.org/changeset/3475665/wp-google-map-plugin/trunk/wp-google-map-plugin.php
security@wordfence.comhttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3475665%40wp-google-map-plugin%2Ftrunk&old=3439153%40wp-google-map-plugin%2Ftrunk&sfp_email=&sfph_mail=
security@wordfence.comhttps://www.wordfence.com/threat-intel/vulnerabilities/id/b612267c-a125-4153-9de7-bb12a7646021?source=cve
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The WP Maps plugin for WordPress is vulnerable to time-based blind SQL Injection via the \u0027location_id\u0027 parameter in all versions up to, and including, 4.9.1. This is due to the plugin\u0027s database abstraction layer (`FlipperCode_Model_Base::is_column()`) treating user input wrapped in backticks as column names, bypassing the `esc_sql()` escaping function. Additionally, the `wpgmp_ajax_call` AJAX handler (registered for unauthenticated users via `wp_ajax_nopriv`) allows calling arbitrary class methods including `wpgmp_return_final_capability`, which passes the unsanitized `location_id` GET parameter directly to a database query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
    },
    {
      "lang": "es",
      "value": "El plugin WP Maps para WordPress es vulnerable a inyecci\u00f3n SQL ciega basada en tiempo a trav\u00e9s del par\u00e1metro \u0027location_id\u0027 en todas las versiones hasta, e incluyendo, la 4.9.1. Esto se debe a que la capa de abstracci\u00f3n de base de datos del plugin (`FlipperCode_Model_Base::is_column()`) trata la entrada del usuario envuelta en comillas invertidas como nombres de columna, omitiendo la funci\u00f3n de escape `esc_sql()`. Adem\u00e1s, el gestor AJAX `wpgmp_ajax_call` (registrado para usuarios no autenticados a trav\u00e9s de `wp_ajax_nopriv`) permite llamar a m\u00e9todos de clase arbitrarios, incluyendo `wpgmp_return_final_capability`, que pasa el par\u00e1metro GET `location_id` sin sanitizar directamente a una consulta de base de datos. Esto hace posible que atacantes no autenticados a\u00f1adan consultas SQL adicionales a consultas ya existentes que pueden ser usadas para extraer informaci\u00f3n sensible de la base de datos."
    }
  ],
  "id": "CVE-2026-3222",
  "lastModified": "2026-04-22T21:27:27.950",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security@wordfence.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-11T06:17:14.777",
  "references": [
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/wp-google-map-plugin/tags/4.9.1/core/class.model.php#L328"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/wp-google-map-plugin/tags/4.9.1/wp-google-map-plugin.php#L250"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/wp-google-map-plugin/tags/4.9.1/wp-google-map-plugin.php#L590"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/wp-google-map-plugin/trunk/core/class.model.php#L328"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/wp-google-map-plugin/trunk/wp-google-map-plugin.php#L250"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/wp-google-map-plugin/trunk/wp-google-map-plugin.php#L590"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/changeset/3475665/wp-google-map-plugin/trunk/core/class.model.php"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/changeset/3475665/wp-google-map-plugin/trunk/wp-google-map-plugin.php"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3475665%40wp-google-map-plugin%2Ftrunk\u0026old=3439153%40wp-google-map-plugin%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "source": "security@wordfence.com",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b612267c-a125-4153-9de7-bb12a7646021?source=cve"
    }
  ],
  "sourceIdentifier": "security@wordfence.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "security@wordfence.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.