What is the CVSS score of EUVD-2026-36943?

EUVD-2026-36943 has a CVSS 3.1 base score of 9.3 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L. EPSS exploitation probability: 0.4%.

Which versions of WP Maps are affected by EUVD-2026-36943?

The WP Maps WordPress plugin (versions 4.9.1 and earlier) contains a critical unauthenticated SQL injection vulnerability enabling direct unauthorized database access.

How to fix or mitigate EUVD-2026-36943?

24 hours: Immediately disable and deactivate WP Maps plugin (all versions ≤4.9.1) on all WordPress installations; begin database access log review for suspicious SQL patterns since plugin deployment. 7 days: Migrate to alternative mapping solution or monitor Flipper Code for patched WP Maps release; conduct comprehensive database security audit for indicators of compromise; review authentication logs for unauthorized database access attempts. 30 days: Deploy Web Application Firewall with SQL injection signature detection; implement real-time database query monitoring and alerting; establish WordPress plugin inventory and patching procedures.

WP Maps EUVD-2026-36943

| CVE-2026-39492 CRITICAL

SQL Injection (CWE-89)

2026-06-15 Patchstack

GHSA-2fh6-qw9c-8c2g

SQLi Wp Maps

9.3

CVSS 3.1 · Vendor: Patchstack

Severity by source

Vendor (Patchstack) PRIMARY

9.3 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

vuln.today AI

9.9 CRITICAL

Unauthenticated network SQLi over HTTP (AV:N/AC:L/PR:N/UI:N); plugin DB user typically allows writes so I:L (not N); scope-changed since plugin leaks whole-site DB.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

Low

Lifecycle Timeline

Analysis Generated

Jun 15, 2026 - 22:27 vuln.today

CVE Published

Jun 15, 2026 - 20:17 cve.org

CRITICAL 9.3

DescriptionCVE.org

Unauthenticated SQL Injection in WP Maps <= 4.9.1 versions.

AnalysisAI

Unauthenticated SQL injection in the WP Maps WordPress plugin (versions 4.9.1 and earlier, by Flipper Code) allows remote attackers to inject arbitrary SQL queries against the underlying WordPress database without any authentication or user interaction. With a CVSS 3.1 score of 9.3 and a scope-changed vector, successful exploitation can disclose sensitive database contents (users, hashed credentials, secrets) and affect availability. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Fingerprint WordPress site running WP Maps ≤4.9.1

Delivery

Send crafted HTTP request with SQLi payload to vulnerable plugin endpoint

Exploit

Exfiltrate wp_users hashes and secrets via UNION or blind injection

Execution

Crack admin password offline

Persist

Authenticate to wp-admin and upload malicious plugin

Impact

Achieve full site compromise

Access

Fingerprint WordPress site running WP Maps ≤4.9.1

Delivery

Send crafted HTTP request with SQLi payload to vulnerable plugin endpoint

Exploit

Exfiltrate wp_users hashes and secrets via UNION or blind injection

Execution

Crack admin password offline

Persist

Authenticate to wp-admin and upload malicious plugin

Impact

Achieve full site compromise

Vulnerability AssessmentAI

Exploitation	No special conditions - remote unauthenticated exploitation against any default WordPress installation that has the WP Maps plugin (versions ≤ 4.9.1) installed and activated, reachable over HTTP/HTTPS. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Real-world risk is high. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker sends a single crafted HTTP request to a public-facing WordPress site running WP Maps ≤ 4.9.1, injecting a UNION SELECT or time-based payload into a vulnerable plugin parameter to extract wp_users password hashes and authentication keys from wp_options. The attacker then cracks the administrator hash offline (or replays session cookies) to log in as admin, upload a malicious plugin, and achieve full site takeover. …
Remediation	Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the supplied data - administrators should upgrade WP Maps to the latest version above 4.9.1 published on the WordPress.org plugin repository and verify the fixed release number against the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-google-map-plugin/vulnerability/wordpress-wp-maps-plugin-4-9-1-sql-injection-vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Immediately disable and deactivate WP Maps plugin (all versions ≤4.9.1) on all WordPress installations; begin database access log review for suspicious SQL patterns since plugin deployment. …

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-36943 vulnerability details – vuln.today

Back

WP Maps EUVD-2026-36943

Severity by source

CVSS VectorVendor: Patchstack

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code