CVE-2026-8385 | THREATINT

Description

The WP Go Maps WordPress plugin before 10.0.10 does not properly enforce the marker approval filter on the admin-ajax fallback for its datatables route, allowing unauthenticated visitors to retrieve marker records that the site owner has not approved for public display, including their title, category, address and description fields.

PUBLISHED Reserved 2026-05-12 | Published 2026-06-15 | Updated 2026-06-15 | Assigner WPScan

Problem types

CWE-200 Information Exposure

Product status

Default status

unaffected

Any version before 10.0.10

affected

Credits

Sudhanshu Chauhan [RedHunt Labs] finder

WPScan coordinator

References

wpscan.com/...rability/984cad38-6d01-4956-8bf1-29585258780b/ exploit vdb-entry technical-description

cve.org (CVE-2026-8385)

nvd.nist.gov (CVE-2026-8385)

Download JSON