WordPress Plugin Vulnerabilities

WP Maps < 4.9.3 - Subscriber+ Local File Inclusion

Description

The plugin does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perform Local File Inclusion attacks.

Proof of Concept

Affects Plugins

Plugin icon
wp-google-map-plugin
Fixed in 4.9.3

References

CVE
CVE-2026-6381

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Mustafa Ahmed
Submitter
Mustafa Ahmed
Submitter website
https://fortressmssp.com
Verified
Yes
WPVDB ID
18b36672-58d7-44fa-b653-b728e9ef257a

Timeline

Publicly Published
2026-04-27 (about 21 days ago)
Added
2026-04-27 (about 20 days ago)
Last Updated
2026-04-27 (about 20 days ago)

Other

Published
Title
Published
2021-09-09
Title
wp-publications - Local File Inclusion
Published
2015-08-28
Title
NextGEN Gallery < 2.1.9 - Authenticated Path Traversal
Published
2025-12-11
Title
WatchTowerHQ < 3.16.1 - Authenticated (Administrator+) Arbitrary File Read via 'wht_download_big_object_origin' Parameter
Published
2025-03-27
Title
JS Help Desk < 2.9.2 - Unauthenticated Arbitrary File Download
Published
2025-04-04
Title
Drag and Drop Multiple File Upload for WooCommerce < 1.1.5 - Unauthenticated Arbitrary File Move