WordPress Plugin Vulnerabilities

WP Maps < 4.9.2 - Unauthenticated SQL Injection via 'location_id' Parameter

Description

The WP Maps plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'location_id' parameter in all versions up to, and including, 4.9.1. This is due to the plugin's database abstraction layer (`FlipperCode_Model_Base::is_column()`) treating user input wrapped in backticks as column names, bypassing the `esc_sql()` escaping function. Additionally, the `wpgmp_ajax_call` AJAX handler (registered for unauthenticated users via `wp_ajax_nopriv`) allows calling arbitrary class methods including `wpgmp_return_final_capability`, which passes the unsanitized `location_id` GET parameter directly to a database query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Affects Plugins

Plugin icon
wp-google-map-plugin
Fixed in 4.9.2

References

CVE
CVE-2026-3222
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b612267c-a125-4153-9de7-bb12a7646021

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.5 (high)

Miscellaneous

Original Researcher
johska
Verified
No
WPVDB ID
c1f19d2e-b28e-4962-951d-946b311fcd0b

Timeline

Publicly Published
2026-03-10 (about 3 months ago)
Added
2026-03-10 (about 3 months ago)
Last Updated
2026-03-11 (about 3 months ago)

Other

Published
Title
Published
2020-05-18
Title
Ajax Load More < 5.3.2 - Authenticated SQL Injection
Published
2015-04-14
Title
Community Events < 1.4 - SQL Injection
Published
2025-02-03
Title
uListing < 2.1.7 - Authenticated (Contributor+) SQL Injection
Published
2025-06-13
Title
AutomatorWP < 5.2.6 - Authenticated (Administrator+) SQL Injection via field_conditions
Published
2025-01-15
Title
Smart Manager < 8.53.0 - Authenticated (Administrator+) SQL Injection