CVE-2019-10692

CRITICAL NUCLEI

Codecabin WP GO Maps < 7.11.18 - SQL Injection

Title source: rule

Description

In the wp-google-maps plugin before 7.11.18 for WordPress, includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement.

Exploits (1)

metasploit WORKING POC

by Thomas Chauchefoin (Synacktiv) · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/wp_google_maps_sqli.rb

View Code ZIP pw:eip

Nuclei Templates (1)

WordPress Google Maps <7.11.18 - SQL Injection

CRITICALVERIFIEDby pussycat0x

References (4)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/159640/WordPress-Rest-Google-Maps-SQL-Injection.html

[Exploit, Third Party Advisory] http://www.rapid7.com/db/modules/auxiliary/admin/http/wp_google_maps_sqli

[Patch, Third Party Advisory] https://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-google-maps&old=2061433&new_path=%2Fwp-google-maps&new=2061434&sfp_email=&sfph_mail=#file755

[Third Party Advisory] https://wordpress.org/plugins/wp-google-maps/#developers

Scores

CVSS v3 9.8

EPSS 0.8876

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

codecabin/wp_go_maps < 7.11.18

Published Apr 02, 2019

Tracked Since Feb 18, 2026