cleantalk
Vulnerabilities and Security Researches

WP Go Maps (formerly WP Google Maps), CVE-2026-12238

CVE, Research URL

CVE-2026-12238

Home page URL

Security reports for WP Go Maps (formerly WP Google Maps)

Application

WP Go Maps (formerly WP Google Maps)

Published on
Jun 20, 2026
Research Description
The WP Go Maps – Most Popular Map Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 10.1.01. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to create arbitrary records in plugin database tables (maps, markers, circles, polygons, polylines, rectangles, and point labels) by supplying a WPGMZA-namespaced CRUD-backed class name via the phpClass parameter. The namespace validation check (requiring the 'WPGMZA' prefix) does not prevent exploitation because classes such as WPGMZA\Map and WPGMZA\Marker satisfy it while still triggering an INSERT into the corresponding plugin table before the route rejects the request.
Affected versions
max 10.1.02.
Status
vulnerable
Previous vulnerability researches
ACF Images Search And Insert (CVE-2024-48035) , Oct 13, 2024
New vulnerability
Database for Contact Form 7, WPforms, Elementor forms (CVE-2026-9843) , Jun 20, 2026
WP Go Maps (formerly WP Google Maps) (CVE-2026-12238) , Jun 20, 2026
Media Library Assistant (CVE-2026-56012) , Jun 20, 2026
MStore API (CVE-2026-54817) , Jun 20, 2026
Bricksable for Bricks Builder (CVE-2026-56009) , Jun 20, 2026