WP Maps plugin for WordPress allows hackers to access sensitive files

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.8

WP Maps plugin for WordPress allows hackers to access sensitive files

CVE-2025-12062

Summary

The WP Maps plugin for WordPress has a security flaw that allows hackers with a basic account to access and run files on the server, potentially stealing sensitive data or taking control of the site. This affects all versions of the plugin up to 4.8.6. To fix this, update the plugin to the latest version or consider replacing it with a more secure alternative.

Original title

Original description

The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8.6 via the fc_load_template function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .html files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .html file types can be uploaded and included.

nvd CVSS3.1 8.8

Vulnerability type

CWE-22 Path Traversal

Published: 17 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026