CVE-2026-8907
Received Received - Intake
Cross-Site Request Forgery and Stored XSS in WP Ultimate Map WordPress Plugin

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: Wordfence

Description
The WP-Ultimate-Map plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1. This is due to missing nonce validation on the process_init() function hooked to admin_init, which saves plugin settings (zoom-level, focus-lat, focus-lng, sel_places, sel_routes) via update_option() based solely on the presence of a save-setting POST parameter. Additionally, the saved values β€” particularly zoom-level β€” are stored without sanitization and later echoed into an HTML attribute (and inline JavaScript) on the settings page without escaping. This makes it possible for unauthenticated attackers to change plugin settings and inject arbitrary web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-8907
EUVD
EUVD-2026-35304
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_ultimate_map plugin to 1.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WP-Ultimate-Map plugin for WordPress versions up to and including 1.1 is vulnerable to Cross-Site Request Forgery (CSRF). This happens because the plugin's process_init() function, which saves plugin settings, lacks nonce validation. The function updates settings based only on the presence of a save-setting POST parameter without verifying the request's authenticity.

Additionally, some saved values, especially the zoom-level, are stored without sanitization and later output directly into HTML attributes and inline JavaScript on the settings page without escaping. This combination allows an attacker to trick an administrator into performing an action (like clicking a malicious link), enabling the attacker to change plugin settings and inject arbitrary scripts.

Impact Analysis

This vulnerability can allow an unauthenticated attacker to modify the plugin's settings by tricking a site administrator into executing a forged request. Because the plugin saves settings without proper validation or sanitization, the attacker can inject arbitrary web scripts into the site.

The impact includes potential cross-site scripting (XSS) attacks, which can lead to session hijacking, defacement, or other malicious actions performed in the context of the administrator's browser. This compromises the integrity and security of the WordPress site.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8907. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart