Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Network-reachable REST API requires no authentication or special conditions; only low-integrity INSERT writes to plugin tables, with no confidentiality or availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The WP Go Maps - Most Popular Map Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 10.1.01. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to create arbitrary records in plugin database tables (maps, markers, circles, polygons, polylines, rectangles, and point labels) by supplying a WPGMZA-namespaced CRUD-backed class name via the phpClass parameter. The namespace validation check (requiring the 'WPGMZA' prefix) does not prevent exploitation because classes such as WPGMZA\Map and WPGMZA\Marker satisfy it while still triggering an INSERT into the corresponding plugin table before the route rejects the request.
AnalysisAI
Authorization bypass in the WP Go Maps WordPress plugin (all versions up to and including 10.1.01) permits unauthenticated remote attackers to insert arbitrary records into plugin-managed database tables - maps, markers, circles, polygons, polylines, rectangles, and point labels - by exploiting a race condition between namespace validation and query execution in the plugin's REST API. The flaw exists because the WPGMZA prefix check in the phpClass parameter validation passes for legitimate plugin classes such as WPGMZA\Map and WPGMZA\Marker, which trigger a SQL INSERT into the corresponding table before the route rejects the request. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target WordPress site must have WP Go Maps installed and active at version 10.1.01 or earlier, and the WordPress REST API must be publicly accessible - which is the default configuration for all standard WordPress installations. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.1 score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) accurately models the risk profile: trivially exploitable from the network with no authentication or user interaction, but constrained to low-integrity writes into plugin-owned tables with no confidentiality or availability consequences per the vector. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker identifies a WordPress site running WP Go Maps ≤10.1.01 through passive plugin enumeration (e.g., checking /wp-content/plugins/wp-google-maps/ for accessible assets), then sends a single crafted HTTP POST to the plugin's REST API endpoint with the phpClass parameter set to WPGMZA\Marker and arbitrary marker field values. The namespace check passes, an INSERT into the plugin's markers table fires before the route-level rejection, and a spurious marker record is permanently written to the database - requiring no credentials and producing no error visible to the attacker beyond a rejected response body. |
| Remediation | No specific patched version number is confirmed in the available intelligence data; administrators should immediately check the WordPress.org plugin repository and the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/c51c6cfb-9a79-4190-87ff-7eddb866ae56?source=cve for the latest release and apply any available update. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38063
GHSA-68w4-qxch-r794