Local File Inclusion Vulnerability in WP Maps Plugin for WordPress
CVE-2026-6381

Currently unrated

Key Information:

Vendor: WordPress
Status: WP Maps
Vendor: CVE Published:; 18 May 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-6381?

The WP Maps WordPress plugin, prior to version 4.9.3, contains a vulnerability that allows authenticated users to execute Local File Inclusion (LFI) attacks due to insufficient sanitization of a parameter used in file paths. This flaw can potentially lead to unauthorized access and disclosure of sensitive filesystem information.

Affected Version(s)

WP Maps 0 < 4.9.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-6381 - Proof of Concept

References

https://wpscan.com/vulnerability/18b36672-58d7-44fa-b653-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 18, 2026
👾
Exploit known to exist
May 18, 2026
Vulnerability published
May 18, 2026
Vulnerability Reserved
Apr 15, 2026

Credit

Mustafa Ahmed

WPScan

CVE-2026-6381 Data

JSON