SQL Injection Vulnerability in WP Maps Plugin for WordPress
CVE-2026-3222

7.5HIGH

Key Information:

Vendor: WordPress
Status: WP Maps – Store Locator,google Maps,openstreetmap,mapbox,listing,directory & Filters
Vendor: CVE Published:; 11 March 2026

What is CVE-2026-3222?

The WP Maps plugin for WordPress is susceptible to time-based blind SQL Injection due to improper handling of the 'location_id' parameter. This flaw exists in all versions up to and including 4.9.1. The database abstraction layer incorrectly interprets user input wrapped in backticks as column names, allowing attackers to bypass necessary SQL escaping functions. The AJAX handler, accessible to unauthenticated users, permits the execution of arbitrary class methods, leading to potential execution of additional SQL queries. This exploitation could enable attackers to extract sensitive information from the database.

Affected Version(s)

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters 0 <= 4.9.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-google-map-...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 11, 2026
Vulnerability Reserved
Feb 25, 2026

Credit

JohSka

CVE-2026-3222 Data

JSON