CVE-2026-8385
Description
WP Go Maps before 10.0.10 exposes unapproved marker details (title, category, address, description) via unauthenticated AJAX exploitation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WP Go Maps before 10.0.10 exposes unapproved marker details (title, category, address, description) via unauthenticated AJAX exploitation.
Vulnerability
The WP Go Maps WordPress plugin versions before 10.0.10 fail to enforce the marker approval filter on the admin-ajax fallback for the datatables route. This allows unauthenticated visitors to retrieve marker records that the site owner did not approve for public display, including title, category, address, and description fields [1].
Exploitation
An unauthenticated attacker with network access to the WordPress site can send a crafted AJAX request to the vulnerable datatables route. No authentication, special privileges, or user interaction is required. The attack is simple to execute as the endpoint does not verify the approval status of markers before returning data [1].
Impact
Successful exploitation leads to unauthorized disclosure of sensitive marker information that the site owner intended to keep hidden. The exposed fields (title, category, address, description) can reveal business locations, private points of interest, or other confidential geographic data. This is a confidentiality breach with no direct integrity or availability impact [1].
Mitigation
The vulnerability is fixed in version 10.0.10. Site owners should update the plugin immediately. There is no workaround described in the sources; downgrading or disabling the marker approval feature is not recommended. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <10.0.10
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing marker approval filter on the admin-ajax datatables route allows unauthenticated retrieval of unapproved marker records."
Attack vector
An unauthenticated attacker can send a crafted AJAX request to the plugin's admin-ajax datatables endpoint. The server returns marker records that the site owner has not approved for public display, including title, category, address, and description fields [ref_id=1]. No authentication or special privileges are required, and the attack can be performed remotely over HTTP.
Affected code
The WP Go Maps plugin (before 10.0.10) fails to enforce the marker approval filter on the admin-ajax fallback for its datatables route. The vulnerability resides in the AJAX handler that serves marker data to the DataTables front-end component.
What the fix does
The patch (version 10.0.10) adds proper enforcement of the marker approval filter on the admin-ajax datatables route. Before the fix, the AJAX handler did not check whether a marker had been approved before returning it; after the fix, unapproved markers are excluded from the response, preventing unauthorized disclosure of pending marker data.
Preconditions
- networkThe attacker must be able to send HTTP requests to the WordPress site's admin-ajax endpoint.
- configThe site must have at least one unapproved marker stored in the plugin's database.
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (June 1, 2026 to June 7, 2026)Wordfence Blog · Jun 11, 2026