CVE-2026-8907

Deferred Deferred - Pending Action

Cross-Site Request Forgery and Stored XSS in WP Ultimate Map WordPress Plugin

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: Wordfence

Description

The WP-Ultimate-Map plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1. This is due to missing nonce validation on the process_init() function hooked to admin_init, which saves plugin settings (zoom-level, focus-lat, focus-lng, sel_places, sel_routes) via update_option() based solely on the presence of a save-setting POST parameter. Additionally, the saved values — particularly zoom-level — are stored without sanitization and later echoed into an HTML attribute (and inline JavaScript) on the settings page without escaping. This makes it possible for unauthenticated attackers to change plugin settings and inject arbitrary web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-09

Last Modified

2026-06-09

Generated

2026-06-29

AI Q&A

2026-06-10

EPSS Evaluated

2026-06-28

NVD

CVE-2026-8907

EUVD

EUVD-2026-35304

Affected Vendors & Products

Vendor	Product	Version / Range
wp_ultimate_map	plugin	to 1.1 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-352	The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

Compliance Impact

The vulnerability allows unauthenticated attackers to perform Cross-Site Request Forgery (CSRF) attacks that can change plugin settings and inject arbitrary web scripts by tricking a site administrator. This can lead to unauthorized modification of website behavior and potential exposure to malicious scripts.

Such unauthorized changes and script injections could potentially compromise the confidentiality and integrity of data handled by the affected WordPress site, which may impact compliance with data protection standards like GDPR and HIPAA that require safeguarding personal and sensitive information.

However, the provided information does not explicitly detail the direct impact on compliance with these regulations.

Executive Summary

The WP-Ultimate-Map plugin for WordPress versions up to and including 1.1 is vulnerable to Cross-Site Request Forgery (CSRF). This happens because the plugin's process_init() function, which saves plugin settings, lacks nonce validation. The function updates settings based only on the presence of a save-setting POST parameter without verifying the request's authenticity.

Additionally, some saved values, especially the zoom-level, are stored without sanitization and later output directly into HTML attributes and inline JavaScript on the settings page without escaping. This combination allows an attacker to trick an administrator into performing an action (like clicking a malicious link), enabling the attacker to change plugin settings and inject arbitrary scripts.

Impact Analysis

This vulnerability can allow an unauthenticated attacker to modify the plugin's settings by tricking a site administrator into executing a forged request. Because the plugin saves settings without proper validation or sanitization, the attacker can inject arbitrary web scripts into the site.

The impact includes potential cross-site scripting (XSS) attacks, which can lead to session hijacking, defacement, or other malicious actions performed in the context of the administrator's browser. This compromises the integrity and security of the WordPress site.

Hi! I’m here to help you understand CVE-2026-8907. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70