WordPress Plugin Vulnerabilities

WP Go Maps (formerly WP Google Maps) < 10.0.05 - Missing Authorization to Authenticated (Subscriber+) Map Engine Setting Modification

Description

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the processBackgroundAction() function in all versions up to, and including, 10.0.04. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global map engine settings.

Affects Plugins

Plugin icon
wp-google-maps
Fixed in 10.0.05

References

CVE
CVE-2026-0593
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7f0741c1-a5d7-41a4-a739-2cb7cb836509

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Moose Love
Verified
No
WPVDB ID
b3e6d770-477c-4c9d-8446-3770b6968d0f

Timeline

Publicly Published
2026-01-24 (about 3 months ago)
Added
2026-01-24 (about 3 months ago)
Last Updated
2026-01-24 (about 3 months ago)

Other

Published
Title
Published
2026-02-07
Title
iPOSpays Gateways WC <= 1.3.7 - Missing Authorization
Published
2025-03-25
Title
BWL Advanced FAQ Manager < 2.1.5 - Missing Authorization to Authenticated (Subscriber+) Limited Arbitrary Options Update
Published
2024-09-05
Title
Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin < 1.2.3 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Published
2022-09-15
Title
Awesome Filterable Portfolio <= 1.9.7 - Unauthenticated Settings Update
Published
2026-02-05
Title
Addonify Floating Cart For WooCommerce <= 1.2.17 - Missing Authorization