WP Maps plugin for WordPress: Unauthenticated data theft via SQL Injection

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.5

WP Maps plugin for WordPress: Unauthenticated data theft via SQL Injection

CVE-2026-3222

Summary

An attacker can access sensitive data from your WordPress database if you're using the WP Maps plugin. This is because the plugin doesn't properly protect against malicious input in a specific parameter. Update to the latest version of the plugin to prevent this risk.

Original title

Original description

The WP Maps plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'location_id' parameter in all versions up to, and including, 4.9.1. This is due to the plugin's database abstraction layer (`FlipperCode_Model_Base::is_column()`) treating user input wrapped in backticks as column names, bypassing the `esc_sql()` escaping function. Additionally, the `wpgmp_ajax_call` AJAX handler (registered for unauthenticated users via `wp_ajax_nopriv`) allows calling arbitrary class methods including `wpgmp_return_final_capability`, which passes the unsanitized `location_id` GET parameter directly to a database query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

nvd CVSS3.1 7.5

Vulnerability type

CWE-89 SQL Injection

Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026