WP Go Maps < 10.0.10 – Unauthenticated Sensitive Information Disclosure via Marker ID | CVE 2026-8386

Description

The plugin does not perform any approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to retrieve marker records that an administrator has not yet approved for public display, including any PII placed in the address and description fields and the marker's geographic coordinates.

Proof of Concept

Prerequisite: at least one marker row exists with `approved=0` in `wp_wpgmza`. This is the plugin's normal moderation-queue state (markers awaiting admin approval after submission via the plugin's front-end or admin "approval required" workflow). Marker IDs are sequential auto-increment integers, so the moderation queue is enumerable.

As an unauthenticated visitor (no cookies, no nonce), either path returns the full marker record:

REST path:
  curl -sS "https://example.com/?rest_route=/wpgmza/v1/markers/3/"

AJAX fallback (equivalent):
  curl -sS "https://example.com/wp-admin/admin-ajax.php?action=wpgmza_rest_api_request&route=/markers/3/"

Both responses return identical bytes, including the raw `approved=0` flag and every column of the marker row: id, map_id, title, address, description, lat, lng, pic, link, icon, category, retina, type, sticky, layergroup, anim, infoopen, did. Substituting other small integer IDs enumerates the entire moderation queue.