Skip to main content

WP Go Maps EUVDEUVD-2026-38063

| CVE-2026-12238 MEDIUM
Missing Authorization (CWE-862)
2026-06-19 Wordfence GHSA-68w4-qxch-r794
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network-reachable REST API requires no authentication or special conditions; only low-integrity INSERT writes to plugin tables, with no confidentiality or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 19, 2026 - 19:04 vuln.today
CVE Published
Jun 19, 2026 - 18:32 cve.org
MEDIUM 5.3

DescriptionCVE.org

The WP Go Maps - Most Popular Map Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 10.1.01. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to create arbitrary records in plugin database tables (maps, markers, circles, polygons, polylines, rectangles, and point labels) by supplying a WPGMZA-namespaced CRUD-backed class name via the phpClass parameter. The namespace validation check (requiring the 'WPGMZA' prefix) does not prevent exploitation because classes such as WPGMZA\Map and WPGMZA\Marker satisfy it while still triggering an INSERT into the corresponding plugin table before the route rejects the request.

AnalysisAI

Authorization bypass in the WP Go Maps WordPress plugin (all versions up to and including 10.1.01) permits unauthenticated remote attackers to insert arbitrary records into plugin-managed database tables - maps, markers, circles, polygons, polylines, rectangles, and point labels - by exploiting a race condition between namespace validation and query execution in the plugin's REST API. The flaw exists because the WPGMZA prefix check in the phpClass parameter validation passes for legitimate plugin classes such as WPGMZA\Map and WPGMZA\Marker, which trigger a SQL INSERT into the corresponding table before the route rejects the request. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Enumerate WordPress site for WP Go Maps plugin ≤10.1.01
Delivery
Send unauthenticated REST API POST with WPGMZA-prefixed phpClass parameter
Exploit
Namespace validation check passes for valid plugin class
Execution
SQL INSERT fires against plugin table before route rejection
Impact
Arbitrary records persisted in plugin database tables

Vulnerability AssessmentAI

Exploitation The target WordPress site must have WP Go Maps installed and active at version 10.1.01 or earlier, and the WordPress REST API must be publicly accessible - which is the default configuration for all standard WordPress installations. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 3.1 score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) accurately models the risk profile: trivially exploitable from the network with no authentication or user interaction, but constrained to low-integrity writes into plugin-owned tables with no confidentiality or availability consequences per the vector. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies a WordPress site running WP Go Maps ≤10.1.01 through passive plugin enumeration (e.g., checking /wp-content/plugins/wp-google-maps/ for accessible assets), then sends a single crafted HTTP POST to the plugin's REST API endpoint with the phpClass parameter set to WPGMZA\Marker and arbitrary marker field values. The namespace check passes, an INSERT into the plugin's markers table fires before the route-level rejection, and a spurious marker record is permanently written to the database - requiring no credentials and producing no error visible to the attacker beyond a rejected response body.
Remediation No specific patched version number is confirmed in the available intelligence data; administrators should immediately check the WordPress.org plugin repository and the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/c51c6cfb-9a79-4190-87ff-7eddb866ae56?source=cve for the latest release and apply any available update. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38063 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy