WordPress Plugin Vulnerabilities

WP Maps < 4.8.7 - Subscriber+ Limited Local File Inclusion

Description

The plugin is vulnerable to Local File Inclusion via the fc_load_template function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .html files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .html file types can be uploaded and included.

Affects Plugins

Plugin icon
wp-google-map-plugin
Fixed in 4.8.7

References

CVE
CVE-2025-12062
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/815e5b86-2d1b-4794-b761-dad770393d3e

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
7.5 (high)

Miscellaneous

Original Researcher
mikemyers
Verified
No
WPVDB ID
801ebeb9-6216-4ee2-8542-01e4bc7e6372

Timeline

Publicly Published
2026-02-16 (about 4 months ago)
Added
2026-02-16 (about 4 months ago)
Last Updated
2026-02-16 (about 4 months ago)

Other

Published
Title
Published
2026-06-05
Title
WP User Manager < 2.9.18 - Unauthenticated Path Traversal to Local File Inclusion via 'tab' Query Parameter
Published
2016-03-30
Title
IMDb Profile Widget <= 1.0.8 - Local File Inclusion (LFI)
Published
2025-05-12
Title
Opal Woo Custom Product Variation < 1.2.1 - Unauthenticated Arbitrary File Deletion
Published
2023-12-26
Title
Store Locator WordPress < 1.4.15 - Admin+ Arbitrary File Deletion
Published
2024-06-06
Title
Qi Addons For Elementor < 1.7.3 - Authenticated (Contributor+) Local File Inclusion