How to fix CVE-2025-12062?

Within 24 hours: Inventory all WordPress installations using WP Maps plugin version 4.8.6 or earlier and assess exposure level. Within 7 days: Implement WAF rules to block malicious fc_load_template requests and disable the plugin if non-critical to operations. Within 30 days: Monitor vendor security advisories for patch availability and develop a deployment plan; consider migrating to alternative location-based solutions if patch timeline extends beyond acceptable risk window.

Is PHP affected by CVE-2025-12062?

The WP Maps plugin, commonly used for location-based business features on WordPress sites, contains a critical vulnerability allowing attackers to access sensitive files on affected servers.

CVE-2025-12062

HIGH

2026-02-17 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Feb 17, 2026 - 00:16 nvd

HIGH 8.8

Description

The WP Maps - Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8.6 via the fc_load_template function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .html files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .html file types can be uploaded and included.

Analysis

Technical Context

Classified as CWE-22 (Path Traversal). Affects the fc_load_template component of Filter. The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8.6 via the fc_load_template function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .html files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data,

Affected Products

Product: Filter. Versions: up to 4.8.6. Component: fc_load_template.

Remediation

Monitor vendor advisories for a patch. Validate and sanitize file path inputs. Use allowlists. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +44

POC: 0

CVE-2025-12062 vulnerability details – vuln.today

Back

CVE-2025-12062

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-12062

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code