CVE-2026-2580

HIGH

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters <= 4.9.1 - Unauthenticated SQL Injection via 'orderby' Parameter

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-2580. PoCs published by exploitintel.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2026-2580, targeting WP Maps (wp-google-map-plugin) v4.9.1. The exploit demonstrates unauthenticated broken access control via AJAX dispatcher and stored XSS, with detailed technical analysis and lab setup.

Description

The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 4.9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Exploits (1)

github WORKING POC 3 stars

by exploitintel · cpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2026-2580

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2026-2580, targeting WP Maps (wp-google-map-plugin) v4.9.1. The exploit demonstrates unauthenticated broken access control via AJAX dispatcher and stored XSS, with detailed technical analysis and lab setup.

Classification

Working Poc 95%

Attack Type

Auth Bypass | Xss

Complexity

Moderate

Reliability

Reliable

Target: WP Maps (wp-google-map-plugin) v4.9.1

No auth needed

Prerequisites: WordPress site with vulnerable plugin installed · Publicly accessible page with the plugin's shortcode

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Apr 09, 2026 Full analysis →

References (4)

Core 4

Core References

https://www.wordfence.com/threat-intel/vulnerabilities/id/8d954868-eff2-497d-84e7-cc42da8a4c6f?source=cve

https://plugins.trac.wordpress.org/browser/wp-google-map-plugin/tags/4.9.1/core/class.tabular.php#L780

https://plugins.trac.wordpress.org/browser/wp-google-map-plugin/tags/4.9.1/classes/wpgmp-helper.php#L127

https://plugins.trac.wordpress.org/browser/wp-google-map-plugin/tags/4.9.1/wp-google-map-plugin.php#L77

Scores

CVSS v3 7.5

EPSS 0.0011

EPSS Percentile 28.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

flippercode/WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters < 4.9.1

Published Mar 23, 2026

Tracked Since Mar 23, 2026