CVE-2026-12238

MEDIUM 5.3

WP Go Maps <= 10.1.01 - Unauthenticated Arbitrary Record Creation

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

The WP Go Maps – Most Popular Map Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 10.1.01. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to create arbitrary records in plugin database tables (maps, markers, circles, polygons, polylines, rectangles, and point labels) by supplying a WPGMZA-namespaced CRUD-backed class name via the phpClass parameter. The namespace validation check (requiring the 'WPGMZA' prefix) does not prevent exploitation because classes such as WPGMZA\Map and WPGMZA\Marker satisfy it while still triggering an INSERT into the corresponding plugin table before the route rejects the request.

CWE	CWE-862
Vendor	wpgmaps
Product	wp go maps – google map, openstreetmap, leaflet map
Published	Jun 19, 2026

Stay Ahead of the Next One

Get instant alerts for wpgmaps wp go maps – google map, openstreetmap, leaflet map

Be the first to know when new medium vulnerabilities affecting wpgmaps wp go maps – google map, openstreetmap, leaflet map are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

wpgmaps / WP Go Maps – Google Map, OpenStreetMap, Leaflet Map

0 ≤ 10.1.01

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/c51c6cfb-9a79-4190-87ff-7eddb866ae56?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-google-maps/tags/10.0.10/includes/class.rest-api.php#L1052

Credits

Thanh Điềm