CVE-2026-3222

The WP Maps plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'location_id' parameter in all versions up to, and including, 4.9.1. This is due to the plugin's database abstraction layer (`FlipperCode_Model_Base::is_column()`) treating user input wrapped in backticks as column names, bypassing the `esc_sql()` escaping function. Additionally, the `wpgmp_ajax_call` AJAX handler (registered for unauthenticated users via `wp_ajax_nopriv`) allows calling arbitrary class methods including `wpgmp_return_final_capability`, which passes the unsanitized `location_id` GET parameter directly to a database query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

• https://plugins.trac.wordpress.org/browser/wp-google-map-plugin/tags/4.9.1/core/class.model.php#L328
• https://plugins.trac.wordpress.org/browser/wp-google-map-plugin/tags/4.9.1/wp-google-map-plugin.php#L250
• https://plugins.trac.wordpress.org/browser/wp-google-map-plugin/tags/4.9.1/wp-google-map-plugin.php#L590
• https://plugins.trac.wordpress.org/browser/wp-google-map-plugin/trunk/core/class.model.php#L328
• https://plugins.trac.wordpress.org/browser/wp-google-map-plugin/trunk/wp-google-map-plugin.php#L250
• https://plugins.trac.wordpress.org/browser/wp-google-map-plugin/trunk/wp-google-map-plugin.php#L590
• https://plugins.trac.wordpress.org/changeset/3475665/wp-google-map-plugin/trunk/core/class.model.php
• https://plugins.trac.wordpress.org/changeset/3475665/wp-google-map-plugin/trunk/wp-google-map-plugin.php
• https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3475665%40wp-google-map-plugin%2Ftrunk&old=3439153%40wp-google-map-plugin%2Ftrunk&sfp_email=&sfph_mail=
• https://www.wordfence.com/threat-intel/vulnerabilities/id/b612267c-a125-4153-9de7-bb12a7646021?source=cve