CVE-2026-6381
Deferred Deferred - Pending Action
Local File Inclusion in WP Maps WordPress Plugin

Publication date: 2026-05-18

Last updated on: 2026-05-18

Assigner: WPScan

Description
The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perform Local File Inclusion attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-18
Last Modified
2026-05-18
Generated
2026-06-10
AI Q&A
2026-05-18
EPSS Evaluated
2026-06-08
NVD
CVE-2026-6381
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_maps wp_maps_plugin to 4.9.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WP Maps plugin for WordPress, before version 4.9.3, contains a vulnerability known as Local File Inclusion (LFI). This happens because the plugin does not properly sanitize a parameter that is used in file paths. As a result, authenticated users with Subscriber-level access or higher can exploit this flaw to include local files on the server.

  • The vulnerability is identified as CVE-2026-6381.
  • It is classified under OWASP Top 10 category A1 (Injection) and CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
  • The issue was fixed in version 4.9.3 of the plugin.
Impact Analysis

This vulnerability can have serious impacts because it allows authenticated users to perform Local File Inclusion attacks. Such attacks can lead to unauthorized access to sensitive files on the server, potentially exposing confidential information or enabling further exploitation.

The CVSS score of 7.5 indicates a high severity level, meaning the impact on confidentiality, integrity, and availability can be significant.

Detection Guidance

This vulnerability can be detected by checking if the WP Maps plugin version is prior to 4.9.3, as those versions are vulnerable to Local File Inclusion (LFI) attacks.

Since the vulnerability involves improper sanitization of a parameter used in file paths, detection may involve attempting to access local files via crafted requests to the plugin endpoints while authenticated with Subscriber-level access or higher.

Specific commands or scripts to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the WP Maps plugin to version 4.9.3 or later, where the issue has been fixed.

Additionally, restrict authenticated user permissions to only those necessary, as the vulnerability requires at least Subscriber-level access to exploit.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6381. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart