CVE-2026-39492

Vulnerability

The WP Maps plugin for WordPress (versions 4.9.1 and earlier) contains an unauthenticated SQL Injection vulnerability. The vulnerability resides in the plugin's code and does not require any specific configuration or privileges to be reachable. Version 4.9.1 and all prior versions are affected. [1]

Exploitation

An attacker can exploit this vulnerability remotely without any authentication. The attack does not require any special network position beyond standard internet access to a WordPress site running the vulnerable plugin. No user interaction is needed. The attacker sends crafted input to a vulnerable endpoint, injecting malicious SQL queries that are executed by the database backend. [1]

Impact

On successful exploitation, an attacker can directly interact with the site's database. This includes the ability to read, modify, or delete sensitive information such as user credentials, personal data, and site configuration. The CVSS score of 9.3 (Critical) reflects the high potential for data theft and complete compromise of database integrity. [1]

Mitigation

The vulnerability is fixed in version 4.9.2. All users should update to version 4.9.2 or later immediately. For users unable to update immediately, Patchstack has issued a mitigation rule to block attacks until the update is applied. As this vulnerability is expected to be used in mass-exploit campaigns, prompt action is critical. [1]