CVE-2026-8386
Description
WP Go Maps plugin <10.0.10 exposes unapproved marker data including PII and coordinates via unauthenticated REST endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WP Go Maps plugin <10.0.10 exposes unapproved marker data including PII and coordinates via unauthenticated REST endpoint.
Vulnerability
The WP Go Maps WordPress plugin before version 10.0.10 does not enforce approval-state filtering on its public single-marker REST endpoint. This allows unauthenticated users to retrieve marker records that an administrator has not yet approved for public display, including any personally identifiable information (PII) placed in the address and description fields and the marker's geographic coordinates [1].
Exploitation
An unauthenticated attacker can directly call the single-marker REST endpoint with a marker ID to retrieve non-public marker data. No authentication or special privileges are required. The attacker simply needs to enumerate marker IDs [1].
Impact
Successful exploitation leads to unauthorized disclosure of sensitive information, including PII (e.g., names, addresses) and precise geographic coordinates of markers. This compromises the confidentiality of data intended to be hidden until approved [1].
Mitigation
The issue is fixed in version 10.0.10. Users should update to this version. No workaround is mentioned [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <10.0.10
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing approval-state filtering on the public single-marker REST endpoint allows retrieval of unapproved marker records."
Attack vector
An unauthenticated attacker can call the plugin's public single-marker REST endpoint with a marker ID to retrieve marker records that an administrator has not yet approved for public display [ref_id=1]. The endpoint does not check whether the marker's approval state allows public viewing, so any marker stored in the database—including those containing personally identifiable information (PII) in the address and description fields, as well as geographic coordinates—is returned to the requester [ref_id=1]. No authentication or special privileges are required, and the attack can be performed over the standard HTTP interface.
Affected code
The WP Go Maps plugin's public single-marker REST endpoint lacks approval-state filtering. The advisory does not specify the exact file or function name, but the endpoint is described as a "public single-marker REST endpoint" that returns marker records regardless of their approval status.
What the fix does
The advisory states the vulnerability is fixed in version 10.0.10 of the WP Go Maps plugin [ref_id=1]. The patch likely adds an approval-state check to the single-marker REST endpoint so that only markers that have been approved for public display are returned to unauthenticated users. Without this check, any marker—including those containing sensitive PII and geographic coordinates—can be retrieved by anyone who knows or guesses the marker ID.
Preconditions
- configThe WP Go Maps plugin must be installed and active with version before 10.0.10.
- inputThe attacker must know or be able to enumerate a marker ID that corresponds to an unapproved marker.
- authNo authentication is required; the endpoint is publicly accessible.
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.