Home

Description

The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perform Local File Inclusion attacks.

PUBLISHED Reserved 2026-04-15 | Published 2026-05-18 | Updated 2026-05-18 | Assigner WPScan

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

Any version before 4.9.3
affected

Credits

Mustafa Ahmed finder

WPScan coordinator

References

wpscan.com/...rability/18b36672-58d7-44fa-b653-b728e9ef257a/ exploit vdb-entry technical-description

cve.org (CVE-2026-6381)

nvd.nist.gov (CVE-2026-6381)

Download JSON