Unauthorized Access in WP Go Maps Plugin for WordPress
CVE-2026-8386

Currently unrated

Key Information:

Vendor: WordPress
Status: WP Go Maps
Vendor: CVE Published:; 15 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-8386?

The WP Go Maps plugin for WordPress prior to version 10.0.10 has a significant flaw in its public single-marker REST endpoint. Due to a lack of approval-state filtering, this vulnerability allows unauthenticated users to access marker records that have not been approved by an administrator for public visibility. This exposure can potentially reveal sensitive personal information (PII) such as addresses and descriptions, along with the geographic coordinates of the markers. This lack of access control presents serious privacy risks and should be addressed promptly by updating to the latest version.

Affected Version(s)

WP Go Maps 0 < 10.0.10

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-8386 - Proof of Concept

References

https://wpscan.com/vulnerability/fa7f5cb0-abe2-4079-9290-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 15, 2026
👾
Exploit known to exist
Jun 15, 2026
Vulnerability published
Jun 15, 2026
Vulnerability Reserved
May 12, 2026

Credit

Sudhanshu Chauhan [RedHunt Labs]

WPScan

CVE-2026-8386 Data

JSON