Skip to main content

WP-Ultimate-Map CVE-2026-8907

| EUVDEUVD-2026-35304 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-09 Wordfence GHSA-vq77-9gmh-wxx2
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 05:14 vuln.today
CVE Published
Jun 09, 2026 - 03:41 nvd
MEDIUM 6.1

DescriptionCVE.org

The WP-Ultimate-Map plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1. This is due to missing nonce validation on the process_init() function hooked to admin_init, which saves plugin settings (zoom-level, focus-lat, focus-lng, sel_places, sel_routes) via update_option() based solely on the presence of a save-setting POST parameter. Additionally, the saved values - particularly zoom-level - are stored without sanitization and later echoed into an HTML attribute (and inline JavaScript) on the settings page without escaping. This makes it possible for unauthenticated attackers to change plugin settings and inject arbitrary web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

AnalysisAI

WP-Ultimate-Map plugin for WordPress (versions up to and including 1.1) is vulnerable to a chained CSRF-to-stored-XSS attack that allows unauthenticated network attackers to hijack plugin settings and inject persistent JavaScript into the WordPress admin panel. The missing nonce check on process_init() - hooked to admin_init - means any forged POST with a save-setting parameter will overwrite plugin options without any authentication or state validation. The injected zoom-level value is then stored unsanitized and reflected verbatim into an HTML attribute and inline JavaScript block on the settings page, completing the XSS chain. No public exploit identified at time of analysis.

Technical ContextAI

The vulnerability lives in admin/class-admin.php of the WP-Ultimate-Map plugin (rahulbhangale, CPE: cpe:2.3:a:rahulbhangale:wp-ultimate-map:*:*:*:*:*:*:*:*), specifically at lines L21, L24, and L63 visible in the WordPress plugin SVN repository. The process_init() function is registered as a callback on WordPress's admin_init action hook, which fires on every admin-context request. WordPress's standard CSRF protection relies on nonce tokens (wp_verify_nonce), but this function skips that check entirely, using only the presence of the save-setting POST parameter as a trigger. It then calls update_option() to persist attacker-controlled values - zoom-level, focus-lat, focus-lng, sel_places, and sel_routes - directly into the WordPress options table. The zoom-level value is subsequently output on the settings page without sanitization or escaping, both as an HTML attribute value and within an inline <script> block. The root cause class is CWE-352 (Cross-Site Request Forgery), with the resulting stored XSS as a secondary but high-impact consequence enabled by absent output encoding.

RemediationAI

No vendor-released patched version has been identified at time of analysis - the available references point exclusively to version 1.1 source code with no indication of a subsequent release. Site administrators should remove or deactivate the WP-Ultimate-Map plugin immediately until the vendor publishes a fix that adds nonce validation to process_init() and output-encodes the zoom-level value before rendering. As a compensating control, restrict WordPress admin panel access (wp-admin/) to known IP ranges via server-level rules (nginx allow/deny or Apache Require ip) - this prevents the CSRF payload from reaching the admin_init hook even if an admin is tricked into visiting a malicious page from an untrusted network. Note that IP restriction may break remote administration workflows. Additionally, a Web Application Firewall rule blocking POST requests to wp-admin containing a save-setting parameter from unauthenticated sessions can serve as a secondary control. Monitor for anomalous changes to the zoom-level, focus-lat, focus-lng, sel_places, or sel_routes WordPress options values as an indicator of exploitation. Consult the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/334fb374-c84b-4fec-8653-f7ad6af1f631 for updates.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-8907 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy