CVE-2026-6381

The WP Maps WordPress plugin, prior to version 4.9.3, fails to properly sanitize a parameter before using it in a file path. This vulnerability, classified as CWE-22 (Path Traversal), enables an authenticated user to include arbitrary local files from the server. The issue was discovered by researcher Mustafa Ahmed and reported via the WPScan vulnerability database [1].

An attacker must have at least Subscriber-level access to the WordPress site. The attack does not require any special privileges beyond authentication. By manipulating the unsanitized parameter, the attacker can traverse directories and include files such as configuration files or logs, potentially leading to information disclosure. The CVSS v3 base score is 7.5 (High), reflecting the ease of exploitation and potential impact [1].

The primary impact is Local File Inclusion (LFI), which can allow an attacker to read sensitive files on the server, such as wp-config.php containing database credentials. This could lead to further compromise of the WordPress installation. No evidence of remote code execution is provided in the advisory, but LFI can sometimes be chained with other vulnerabilities for greater effect.

The vulnerability is fixed in version 4.9.3 of the WP Maps plugin. Users are strongly advised to update to the latest version immediately. The advisory notes that the plugin is affected by this issue and provides a clear timeline: the vulnerability was publicly published on 2026-04-27 and added to the WPScan database on the same day [1].