CVE-2026-8907

Name of the Vulnerable Software and Affected Versions WP-Ultimate-Map versions prior to 1.2

Description The plugin is subject to Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS). The issue occurs because the process init() function, which is hooked to admin init, fails to validate nonces when saving plugin settings via update option(). This process is triggered solely by the presence of the save-setting POST parameter. Furthermore, saved values, specifically the zoom-level variable, are stored without sanitization and subsequently echoed into an HTML attribute and inline JavaScript on the settings page without escaping. This allows an attacker to change plugin settings and inject arbitrary web scripts if a site administrator is tricked into clicking a malicious link.

Recommendations Update to a version later than 1.1. As a temporary mitigation, restrict access to the process init() function or the save-setting parameter until the update is applied.