CVE-2026-2580
Time-Based SQL Injection in WP Maps Plugin Allows Data Exposure
Publication date: 2026-03-23
Last updated on: 2026-03-23
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | wp_maps_store_locator | to 4.9.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WP Maps – Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory & Filters plugin for WordPress is vulnerable to a time-based SQL Injection via the 'orderby' parameter in all versions up to and including 4.9.1.
This vulnerability occurs because the plugin does not properly escape or prepare the user-supplied 'orderby' parameter before including it in SQL queries.
As a result, unauthenticated attackers can append additional SQL queries to the existing ones, potentially extracting sensitive information from the database.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to perform time-based SQL Injection attacks, which can lead to unauthorized extraction of sensitive data from the website's database.
Because the attack does not require authentication, it increases the risk of data breaches, exposing confidential information stored in the database.
The CVSS score of 7.5 indicates a high severity impact on confidentiality, though it does not affect integrity or availability directly.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability in the WP Maps – Store Locator plugin is a time-based SQL Injection via the 'orderby' parameter. Detection typically involves monitoring HTTP requests for suspicious or malformed 'orderby' parameters that attempt to inject SQL code.
You can detect attempts to exploit this vulnerability by inspecting web server logs or using network monitoring tools to look for unusual query strings containing SQL keywords or time-based payloads in the 'orderby' parameter.
Example commands to detect such attempts include:
- Using grep on web server logs to find suspicious 'orderby' parameters: grep -i 'orderby=.*(sleep|benchmark|waitfor|delay)' access.log
- Using curl to test the vulnerability manually by injecting a time delay payload in the 'orderby' parameter: curl -v 'http://targetsite.com/?orderby=1+AND+SLEEP(5)--+'
- Using intrusion detection systems (IDS) or web application firewalls (WAF) with rules to detect SQL injection patterns in URL parameters.
Note that no explicit detection commands or tools are provided in the available resources, so these suggestions are based on common practices for detecting time-based SQL injection attacks.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for this vulnerability include:
- Update the WP Maps – Store Locator plugin to a version later than 4.9.1 where the vulnerability is fixed.
- If an update is not immediately possible, disable or restrict access to the vulnerable plugin functionality, especially any features that accept the 'orderby' parameter from unauthenticated users.
- Implement Web Application Firewall (WAF) rules to block SQL injection attempts targeting the 'orderby' parameter.
- Review and harden database permissions to limit the impact of any potential SQL injection.
- Monitor logs for suspicious activity and respond to any detected exploitation attempts.
The provided resources do not include explicit mitigation instructions, so these recommendations are based on standard best practices for handling SQL injection vulnerabilities.