SQL Injection Vulnerability in WP Maps Plugin for WordPress
CVE-2026-3222

7.5HIGH

Key Information:

Vendor

WordPress
Status
WP Maps – Store Locator,google Maps,openstreetmap,mapbox,listing,directory & Filters
Vendor
CVE Published:
11 March 2026

What is CVE-2026-3222?

The WP Maps plugin for WordPress is susceptible to time-based blind SQL Injection due to improper handling of the 'location_id' parameter. This flaw exists in all versions up to and including 4.9.1. The database abstraction layer incorrectly interprets user input wrapped in backticks as column names, allowing attackers to bypass necessary SQL escaping functions. The AJAX handler, accessible to unauthenticated users, permits the execution of arbitrary class methods, leading to potential execution of additional SQL queries. This exploitation could enable attackers to extract sensitive information from the database.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters * <= 4.9.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/wp-google-map-...
https://plugins.trac.wordpress.org/browser/wp-google-map-...

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

JohSka
JSON
.