CVE-2026-3222

Name of the Vulnerable Software and Affected Versions WP Maps versions up to and including 4.9.1

Description The WP Maps plugin for WordPress is susceptible to time-based blind SQL Injection through the location id parameter. This occurs because the plugin’s database abstraction layer (FlipperCode Model Base::is column()) interprets user input enclosed in backticks as column names, circumventing the esc sql() escaping function. The wpgmp ajax call AJAX handler, accessible to unauthenticated users via wp ajax nopriv, permits the invocation of arbitrary class methods, including wpgmp return final capability. This function directly incorporates the unsanitized location id GET parameter into database queries, enabling attackers to append additional SQL queries and potentially extract sensitive data.

Recommendations Versions up to and including 4.9.1 should be updated to a newer, fixed version if available. As a temporary workaround, consider restricting access to the wpgmp ajax call AJAX handler. Avoid using the location id parameter in the affected API endpoint until the issue is resolved.