Attack Vectors

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters (slug: wp-google-map-plugin) versions up to and including 4.9.1 are affected by CVE-2026-3222, a High severity issue (CVSS 7.5, vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

The vulnerability is an unauthenticated SQL Injection reachable over the network without login (no privileges required and no user interaction required). It is triggered through the location_id parameter, including via the plugin’s unauthenticated AJAX handler (wpgmp_ajax_call registered with wp_ajax_nopriv).

Because this is described as a time-based blind SQL injection, attackers can probe the database by measuring response timing—often a sign of automated scanning and exploitation attempts that can scale across many sites.

Reference: CVE-2026-3222 record.

Security Weakness

The issue stems from how the plugin’s database abstraction layer handles input. Specifically, FlipperCode_Model_Base::is_column() can treat user-controlled input wrapped in backticks as a column name, which can bypass the intended escaping (esc_sql()). This creates an opportunity for malicious SQL fragments to be processed in a way the plugin did not intend.

In addition, the unauthenticated AJAX handler can allow calling class methods (including wpgmp_return_final_capability) that can pass the unsanitized location_id GET parameter along the execution path, enabling injection.

In business terms: this is a validation and input-handling failure in a public-facing endpoint, which increases exposure because the attacker does not need an account.

Technical or Business Impacts

The CVSS profile indicates a high confidentiality impact (C:H) with no direct integrity or availability impact scored (I:N/A:N). Practically, that means the primary risk is data exposure—for example, attackers may be able to extract sensitive information from the WordPress database over time using blind techniques.

For marketing and executive stakeholders, the most material outcomes typically include: potential exposure of customer/contact data stored in WordPress, loss of trust, incident response and legal/compliance costs, and disruption to campaigns while containment and forensic review occur. If regulated personal data is involved, this may also trigger reporting obligations depending on jurisdiction and contractual requirements.

Similar attacks have driven real-world breaches where SQL injection was used to access sensitive data, such as the TalkTalk 2015 cyber attack and the Heartland Payment Systems data breach.

Remediation: update WP Maps to version 4.9.2 or newer (patched). Source advisory: Wordfence vulnerability report.