– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-2580:
This vulnerability is an unauthenticated time-based SQL injection in the WP Maps plugin, affecting versions up to and including 4.9.1. The flaw resides in the plugin’s tabular data handling component, specifically in the orderby parameter processing. Attackers can exploit this to extract sensitive information from the database, with a CVSS score of 7.5.

The root cause is insufficient input validation and insecure SQL query construction in the prepare_items() method within /wp-google-map-plugin/core/class.tabular.php. The vulnerable code directly concatenates user-controlled $_GET[‘orderby’] and $_GET[‘order’] parameters into SQL ORDER BY clauses without proper whitelist validation. The usort_reorder() function in the same file also uses sanitize_text_field() which fails to prevent SQL injection. The is_column() method in /wp-google-map-plugin/core/class.model.php previously only checked for backticks, allowing arbitrary string injection.

Exploitation occurs via unauthenticated HTTP requests to WordPress admin pages where the plugin’s tabular interface is loaded. Attackers send crafted GET requests with malicious orderby parameters containing SQL injection payloads. The attack vector targets any admin listing page using the WPGMP_Tabular class, such as location, map, or route management pages. Payloads use time-based blind SQL injection techniques with SLEEP() or BENCHMARK() functions to extract data.

The patch implements multiple security improvements. It adds a $page_slug property to restrict pro feature modifications to plugin pages only. The usort_reorder() function now validates orderby against a whitelist of sortable columns using sanitize_key() and in_array() checks. The prepare_items() method implements strict column whitelisting for ORDER BY clauses. The is_column() method is rewritten to validate against an $allowed_columns array populated via DESCRIBE table queries. Model classes now call load_columns() to initialize allowed columns.

Successful exploitation allows complete database compromise. Attackers can extract sensitive information including WordPress user credentials, plugin configuration data, location coordinates, and other stored content. The vulnerability enables data exfiltration through time-based inference attacks. While direct remote code execution is unlikely through this vector, database access can lead to privilege escalation and full site takeover.