CVE-2026-3222
Received Received - Intake
Time-Based Blind SQL Injection in WP Maps Plugin Allows Data Exposure

Publication date: 2026-03-11

Last updated on: 2026-03-11

Assigner: Wordfence

Description
The WP Maps plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'location_id' parameter in all versions up to, and including, 4.9.1. This is due to the plugin's database abstraction layer (`FlipperCode_Model_Base::is_column()`) treating user input wrapped in backticks as column names, bypassing the `esc_sql()` escaping function. Additionally, the `wpgmp_ajax_call` AJAX handler (registered for unauthenticated users via `wp_ajax_nopriv`) allows calling arbitrary class methods including `wpgmp_return_final_capability`, which passes the unsanitized `location_id` GET parameter directly to a database query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3222
EUVD
EUVD-2026-11103
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
weplugins wp_google_map_plugin to 4.9.1 (inc)
flippercode wp_maps to 4.9.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WP Maps plugin for WordPress, in all versions up to and including 4.9.1, is vulnerable to a time-based blind SQL Injection via the 'location_id' parameter. This vulnerability arises because the plugin's database abstraction layer method `FlipperCode_Model_Base::is_column()` treats user input wrapped in backticks as column names, which bypasses the usual SQL escaping function `esc_sql()`. Additionally, the AJAX handler `wpgmp_ajax_call` (which is accessible to unauthenticated users) allows calling arbitrary class methods including `wpgmp_return_final_capability`. This method passes the unsanitized `location_id` GET parameter directly into a database query. As a result, unauthenticated attackers can inject additional SQL queries into existing queries, enabling them to extract sensitive information from the database.

Impact Analysis

This vulnerability allows unauthenticated attackers to perform time-based blind SQL Injection attacks on the WP Maps plugin. By exploiting the unsanitized 'location_id' parameter, attackers can append malicious SQL queries to extract sensitive data from the database without authentication.

The impact includes unauthorized disclosure of sensitive information stored in the database, which could include user data, site configuration, or other confidential information managed by the plugin or WordPress site.

Because the attack can be performed without any user authentication and requires only sending crafted requests to the vulnerable AJAX handler, it poses a significant security risk to affected WordPress sites using the vulnerable versions of the WP Maps plugin.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves a time-based blind SQL Injection via the 'location_id' parameter in the WP Maps plugin for WordPress (versions up to 4.9.1). Detection can focus on monitoring HTTP requests targeting the AJAX handler 'wpgmp_ajax_call' that is accessible to unauthenticated users and includes the 'location_id' GET parameter.

To detect potential exploitation attempts on your system or network, you can monitor web server logs or use network intrusion detection systems (NIDS) to look for suspicious requests containing SQL injection patterns in the 'location_id' parameter.

  • Check web server access logs for requests to the AJAX endpoint with suspicious 'location_id' values, e.g., containing SQL syntax such as quotes, backticks, or SQL keywords.
  • Example command to search Apache or Nginx logs for suspicious 'location_id' parameters (Linux shell):
  • grep -i 'wpgmp_ajax_call' /var/log/apache2/access.log | grep -E 'location_id=.*(\'|`|union|select|and|or)'
  • Use tools like curl or wget to test the endpoint manually by sending crafted requests with time delays or SQL payloads to observe if the server response time indicates a time-based blind SQL injection.
  • Example curl command to test for time-based SQL injection (replace URL and parameters accordingly):
  • curl 'https://yourwordpresssite.com/wp-admin/admin-ajax.php?action=wpgmp_ajax_call&location_id=1 AND SLEEP(5)' -i

If the response is delayed significantly (e.g., by 5 seconds), it may indicate the presence of the vulnerability.

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps for this vulnerability include updating the WP Maps plugin to a version that patches the SQL injection issue, as the vulnerability affects all versions up to and including 4.9.1.'}, {'type': 'paragraph', 'content': 'If an update is not immediately available or feasible, consider the following temporary mitigations:'}, {'type': 'list_item', 'content': "Restrict access to the AJAX handler 'wpgmp_ajax_call' for unauthenticated users by applying web server rules or firewall policies to block or limit requests to this endpoint."}, {'type': 'list_item', 'content': "Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the 'location_id' parameter."}, {'type': 'list_item', 'content': "Sanitize and validate all user inputs in custom code or plugin extensions if applicable, ensuring that parameters like 'location_id' are strictly numeric and do not allow SQL syntax."}, {'type': 'list_item', 'content': 'Review and apply any security patches or updates released by the plugin author, as indicated in the changeset updating from version 4.9.1 to 4.9.2, which includes improved sanitization and capability checks.'}, {'type': 'paragraph', 'content': 'Ultimately, upgrading to the fixed plugin version (4.9.2 or later) is the most effective and recommended mitigation.'}] [7]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3222. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart