CVE-2026-8386 | THREATINT

Description

The WP Go Maps WordPress plugin before 10.0.10 does not perform any approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to retrieve marker records that an administrator has not yet approved for public display, including any PII placed in the address and description fields and the marker's geographic coordinates.

PUBLISHED Reserved 2026-05-12 | Published 2026-06-15 | Updated 2026-06-15 | Assigner WPScan

Problem types

CWE-200 Information Exposure

Product status

Default status

unaffected

Any version before 10.0.10

affected

Credits

Sudhanshu Chauhan [RedHunt Labs] finder

WPScan coordinator

References

wpscan.com/...rability/fa7f5cb0-abe2-4079-9290-e0e4dc89f27f/ exploit

wpscan.com/...rability/fa7f5cb0-abe2-4079-9290-e0e4dc89f27f/ exploit vdb-entry technical-description

cve.org (CVE-2026-8386)

nvd.nist.gov (CVE-2026-8386)

Download JSON