CVE-2026-3222
Time-Based Blind SQL Injection in WP Maps Plugin Allows Data Exposure
Publication date: 2026-03-11
Last updated on: 2026-03-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| weplugins | wp_google_map_plugin | to 4.9.1 (inc) |
| flippercode | wp_maps | to 4.9.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WP Maps plugin for WordPress, in all versions up to and including 4.9.1, is vulnerable to a time-based blind SQL Injection via the 'location_id' parameter. This vulnerability arises because the plugin's database abstraction layer method `FlipperCode_Model_Base::is_column()` treats user input wrapped in backticks as column names, which bypasses the usual SQL escaping function `esc_sql()`. Additionally, the AJAX handler `wpgmp_ajax_call` (which is accessible to unauthenticated users) allows calling arbitrary class methods including `wpgmp_return_final_capability`. This method passes the unsanitized `location_id` GET parameter directly into a database query. As a result, unauthenticated attackers can inject additional SQL queries into existing queries, enabling them to extract sensitive information from the database.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a time-based blind SQL Injection via the 'location_id' parameter in the WP Maps plugin for WordPress (versions up to 4.9.1). Detection can focus on monitoring HTTP requests targeting the AJAX handler 'wpgmp_ajax_call' that is accessible to unauthenticated users and includes the 'location_id' GET parameter.
To detect potential exploitation attempts on your system or network, you can monitor web server logs or use network intrusion detection systems (NIDS) to look for suspicious requests containing SQL injection patterns in the 'location_id' parameter.
- Check web server access logs for requests to the AJAX endpoint with suspicious 'location_id' values, e.g., containing SQL syntax such as quotes, backticks, or SQL keywords.
- Example command to search Apache or Nginx logs for suspicious 'location_id' parameters (Linux shell):
- grep -i 'wpgmp_ajax_call' /var/log/apache2/access.log | grep -E 'location_id=.*(\'|`|union|select|and|or)'
- Use tools like curl or wget to test the endpoint manually by sending crafted requests with time delays or SQL payloads to observe if the server response time indicates a time-based blind SQL injection.
- Example curl command to test for time-based SQL injection (replace URL and parameters accordingly):
- curl 'https://yourwordpresssite.com/wp-admin/admin-ajax.php?action=wpgmp_ajax_call&location_id=1 AND SLEEP(5)' -i
If the response is delayed significantly (e.g., by 5 seconds), it may indicate the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps for this vulnerability include updating the WP Maps plugin to a version that patches the SQL injection issue, as the vulnerability affects all versions up to and including 4.9.1.'}, {'type': 'paragraph', 'content': 'If an update is not immediately available or feasible, consider the following temporary mitigations:'}, {'type': 'list_item', 'content': "Restrict access to the AJAX handler 'wpgmp_ajax_call' for unauthenticated users by applying web server rules or firewall policies to block or limit requests to this endpoint."}, {'type': 'list_item', 'content': "Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the 'location_id' parameter."}, {'type': 'list_item', 'content': "Sanitize and validate all user inputs in custom code or plugin extensions if applicable, ensuring that parameters like 'location_id' are strictly numeric and do not allow SQL syntax."}, {'type': 'list_item', 'content': 'Review and apply any security patches or updates released by the plugin author, as indicated in the changeset updating from version 4.9.1 to 4.9.2, which includes improved sanitization and capability checks.'}, {'type': 'paragraph', 'content': 'Ultimately, upgrading to the fixed plugin version (4.9.2 or later) is the most effective and recommended mitigation.'}] [7]
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to perform time-based blind SQL Injection attacks on the WP Maps plugin. By exploiting the unsanitized 'location_id' parameter, attackers can append malicious SQL queries to extract sensitive data from the database without authentication.
The impact includes unauthorized disclosure of sensitive information stored in the database, which could include user data, site configuration, or other confidential information managed by the plugin or WordPress site.
Because the attack can be performed without any user authentication and requires only sending crafted requests to the vulnerable AJAX handler, it poses a significant security risk to affected WordPress sites using the vulnerable versions of the WP Maps plugin.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know