Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The WP-Ultimate-Map plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1. This is due to missing nonce validation on the process_init() function hooked to admin_init, which saves plugin settings (zoom-level, focus-lat, focus-lng, sel_places, sel_routes) via update_option() based solely on the presence of a save-setting POST parameter. Additionally, the saved values - particularly zoom-level - are stored without sanitization and later echoed into an HTML attribute (and inline JavaScript) on the settings page without escaping. This makes it possible for unauthenticated attackers to change plugin settings and inject arbitrary web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AnalysisAI
WP-Ultimate-Map plugin for WordPress (versions up to and including 1.1) is vulnerable to a chained CSRF-to-stored-XSS attack that allows unauthenticated network attackers to hijack plugin settings and inject persistent JavaScript into the WordPress admin panel. The missing nonce check on process_init() - hooked to admin_init - means any forged POST with a save-setting parameter will overwrite plugin options without any authentication or state validation. The injected zoom-level value is then stored unsanitized and reflected verbatim into an HTML attribute and inline JavaScript block on the settings page, completing the XSS chain. No public exploit identified at time of analysis.
Technical ContextAI
The vulnerability lives in admin/class-admin.php of the WP-Ultimate-Map plugin (rahulbhangale, CPE: cpe:2.3:a:rahulbhangale:wp-ultimate-map:*:*:*:*:*:*:*:*), specifically at lines L21, L24, and L63 visible in the WordPress plugin SVN repository. The process_init() function is registered as a callback on WordPress's admin_init action hook, which fires on every admin-context request. WordPress's standard CSRF protection relies on nonce tokens (wp_verify_nonce), but this function skips that check entirely, using only the presence of the save-setting POST parameter as a trigger. It then calls update_option() to persist attacker-controlled values - zoom-level, focus-lat, focus-lng, sel_places, and sel_routes - directly into the WordPress options table. The zoom-level value is subsequently output on the settings page without sanitization or escaping, both as an HTML attribute value and within an inline <script> block. The root cause class is CWE-352 (Cross-Site Request Forgery), with the resulting stored XSS as a secondary but high-impact consequence enabled by absent output encoding.
RemediationAI
No vendor-released patched version has been identified at time of analysis - the available references point exclusively to version 1.1 source code with no indication of a subsequent release. Site administrators should remove or deactivate the WP-Ultimate-Map plugin immediately until the vendor publishes a fix that adds nonce validation to process_init() and output-encodes the zoom-level value before rendering. As a compensating control, restrict WordPress admin panel access (wp-admin/) to known IP ranges via server-level rules (nginx allow/deny or Apache Require ip) - this prevents the CSRF payload from reaching the admin_init hook even if an admin is tricked into visiting a malicious page from an untrusted network. Note that IP restriction may break remote administration workflows. Additionally, a Web Application Firewall rule blocking POST requests to wp-admin containing a save-setting parameter from unauthenticated sessions can serve as a secondary control. Monitor for anomalous changes to the zoom-level, focus-lat, focus-lng, sel_places, or sel_routes WordPress options values as an indicator of exploitation. Consult the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/334fb374-c84b-4fec-8653-f7ad6af1f631 for updates.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35304
GHSA-vq77-9gmh-wxx2