CVE-2026-6381
Local File Inclusion in WP Maps WordPress Plugin
Publication date: 2026-05-18
Last updated on: 2026-05-18
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_maps | wp_maps_plugin | to 4.9.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WP Maps plugin for WordPress, before version 4.9.3, contains a vulnerability known as Local File Inclusion (LFI). This happens because the plugin does not properly sanitize a parameter that is used in file paths. As a result, authenticated users with Subscriber-level access or higher can exploit this flaw to include local files on the server.
- The vulnerability is identified as CVE-2026-6381.
- It is classified under OWASP Top 10 category A1 (Injection) and CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
- The issue was fixed in version 4.9.3 of the plugin.
How can this vulnerability impact me? :
This vulnerability can have serious impacts because it allows authenticated users to perform Local File Inclusion attacks. Such attacks can lead to unauthorized access to sensitive files on the server, potentially exposing confidential information or enabling further exploitation.
The CVSS score of 7.5 indicates a high severity level, meaning the impact on confidentiality, integrity, and availability can be significant.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the WP Maps plugin version is prior to 4.9.3, as those versions are vulnerable to Local File Inclusion (LFI) attacks.
Since the vulnerability involves improper sanitization of a parameter used in file paths, detection may involve attempting to access local files via crafted requests to the plugin endpoints while authenticated with Subscriber-level access or higher.
Specific commands or scripts to detect this vulnerability are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the WP Maps plugin to version 4.9.3 or later, where the issue has been fixed.
Additionally, restrict authenticated user permissions to only those necessary, as the vulnerability requires at least Subscriber-level access to exploit.