CVE-2025-12062
Local File Inclusion in WP Maps Plugin Enables Code Execution
Publication date: 2026-02-17
Last updated on: 2026-02-17
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| flippercode | wp_google_map_plugin | to 4.8.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WP Maps β Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory & Filters plugin for WordPress has a Local File Inclusion vulnerability in all versions up to and including 4.8.6. This vulnerability exists in the fc_load_template function.
It allows authenticated attackers with Subscriber-level access or higher to include and execute arbitrary .html files on the server. Since these .html files can contain PHP code, attackers can execute any PHP code within those files.
This can be exploited to bypass access controls, obtain sensitive data, or achieve code execution if .html files can be uploaded and included.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including:
- Bypassing access controls, allowing attackers to access restricted areas or data.
- Obtaining sensitive data stored on the server.
- Executing arbitrary PHP code on the server, which can lead to full system compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the WP Maps β Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory & Filters plugin for WordPress to version 4.8.7 or later.
The update addresses security issues including this Local File Inclusion vulnerability, as indicated by the changeset committed on 11/28/2025 which resolved these issues.
Ensure that only trusted users have authenticated access to the WordPress site, especially those with Subscriber-level access and above, to reduce risk.