WP-Safety
CVE-2026-3581

Basic Google Maps Placemarks <= 1.10.7 - Missing Authorization to Unauthenticated Default Map Coordinate Update

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.10.8
Patched in
1d
Time to patch

Description

The Basic Google Maps Placemarks plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.10.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to modify stored map latitude and longitude options.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.10.7
PublishedApril 15, 2026
Last updatedApril 16, 2026
Affected pluginbasic-google-maps-placemarks

What Changed in the Fix

Changes introduced in v1.10.8

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v1.10.7
Browse source Download .zip
Patched v1.10.8
Browse source Download .zip
Research Plan
Unverified

# Vulnerability Research Plan: CVE-2026-3581 ## 1. Vulnerability Summary The **Basic Google Maps Placemarks** plugin (versions <= 1.10.7) contains a missing authorization vulnerability that allows unauthenticated attackers to modify the stored default map coordinates (latitude and longitude). The f…

Show full research plan

Vulnerability Research Plan: CVE-2026-3581

1. Vulnerability Summary

The Basic Google Maps Placemarks plugin (versions <= 1.10.7) contains a missing authorization vulnerability that allows unauthenticated attackers to modify the stored default map coordinates (latitude and longitude). The flaw exists in the BGMPSettings::updateMapCoordinates() method, which is hooked to init and fails to perform any capability checks or nonce verification before updating core plugin settings based on $_POST data.

2. Attack Vector Analysis

  • Endpoint: Any WordPress URL (e.g., /, /wp-login.php, or /wp-admin/admin-ajax.php) because the vulnerable function is hooked to init.
  • HTTP Method: POST
  • Vulnerable Parameter: bgmp_map-address
  • Authentication: None (Unauthenticated).
  • Preconditions: The plugin must be active.
  • Mechanism: The plugin attempts to "helpfully" update coordinates whenever the address is changed in settings. However, because it checks for the existence of $_POST['bgmp_map-address'] on every request via the init hook, an attacker can trigger the update logic by simply providing that key in a POST request.

3. Code Flow

  1. Entry Point: core.php instantiates BGMPSettings in the BasicGoogleMapsPlacemarks::__construct method.
  2. Hook Registration: In settings.php, the BGMPSettings::__construct method registers updateMapCoordinates to the init hook:
    add_action( 'init', array( $this, 'updateMapCoordinates' ) );
  3. Vulnerable Sink: The BGMPSettings::updateMapCoordinates() method (in settings.php) checks for user input:
    public function updateMapCoordinates() {
    global $bgmp;
    // ...
    if ( isset( $_POST[ BasicGoogleMapsPlacemarks::PREFIX . 'map-address' ] ) ) { // PREFIX = 'bgmp_'
        // ... logic to geocode the address ...
        if ( $haveCoordinates ) {
            update_option( BasicGoogleMapsPlacemarks::PREFIX . 'map-latitude',  $coordinates['latitude']  );
            update_option( BasicGoogleMapsPlacemarks::PREFIX . 'map-longitude', $coordinates['longitude'] );
        }
    }
}
  4. Authorization Failure: There are no calls to current_user_can(), check_admin_referer(), or wp_verify_nonce() before update_option() is called.

4. Nonce Acquisition Strategy

No nonce is required for this exploit.

The code in BGMPSettings::updateMapCoordinates lacks any nonce verification. It only checks for the presence of the bgmp_map-address key in the $_POST array.

5. Exploitation Strategy

  1. Determine Current Settings: (Optional) Use WP-CLI to check the current latitude and longitude to establish a baseline.
  2. Send Malicious Request: Send an unauthenticated POST request to the WordPress home page with a new address.
  3. Payload:
    • URL: http://localhost:8888/ (The root URL is sufficient).
    • Method: POST
    • Body (Form-Encoded): bgmp_map-address=New+York,NY
  4. Backend Processing: The WordPress init hook triggers updateMapCoordinates. The plugin sees $_POST['bgmp_map-address'], geocodes "New York, NY", and updates the bgmp_map-latitude and bgmp_map-longitude options in the wp_options table.

6. Test Data Setup

  1. Install and activate the plugin: wp plugin activate basic-google-maps-placemarks.
  2. Set an initial coordinate baseline:
    wp option update bgmp_map-latitude "47.6062095"
wp option update bgmp_map-longitude "-122.3320708"

7. Expected Results

  • The server will return a standard 200 OK (or redirect) as the init hook executes and allows the page to load normally.
  • The database options bgmp_map-latitude and bgmp_map-longitude will change from the baseline values to the coordinates of the injected address.

8. Verification Steps

After sending the HTTP request, verify the change using WP-CLI:

# Check updated latitude
wp option get bgmp_map-latitude

# Check updated longitude
wp option get bgmp_map-longitude

For "New York, NY", the latitude should be approximately 40.7127753 and longitude -74.0059728.

9. Alternative Approaches

If the plugin cannot geocode the address (e.g., if a Google Maps API key is missing or invalid), the code follows this path:

if ( $haveCoordinates ) {
    // ...
} else {
    update_option( BasicGoogleMapsPlacemarks::PREFIX . 'map-latitude',  '' );
    update_option( BasicGoogleMapsPlacemarks::PREFIX . 'map-longitude', '' );
}

In this scenario, an attacker can effectively wipe the map coordinates by sending an empty address or a gibberish address that cannot be geocoded:

  • Payload: bgmp_map-address=non_existent_location_12345
  • Expected Result: bgmp_map-latitude and bgmp_map-longitude become empty strings, breaking the map display on the frontend.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Basic Google Maps Placemarks plugin for WordPress (<= 1.10.7) is vulnerable to unauthorized modification of map settings. The `updateMapCoordinates` method, hooked to the early `init` action, fails to perform capability checks or nonce verification, allowing unauthenticated attackers to update the global map latitude and longitude or wipe them entirely.

Vulnerable Code

// settings.php line 36
add_action( 'init',       array( $this, 'updateMapCoordinates' )    );

---

// settings.php lines 71-102
public function updateMapCoordinates() {
	// @todo - this could be done during a settings validation callback?
	global $bgmp;

	$haveCoordinates = true;

	if ( isset( $_POST[ BasicGoogleMapsPlacemarks::PREFIX . 'map-address' ] ) ) {
		if ( empty( $_POST[ BasicGoogleMapsPlacemarks::PREFIX . 'map-address' ] ) ) {
			$haveCoordinates = false;
		} else {
			$coordinates = $bgmp->geocode( $_POST[ BasicGoogleMapsPlacemarks::PREFIX . 'map-address' ] );

			if ( ! $coordinates ) {
				$haveCoordinates = false;
			}
		}

		if ( $haveCoordinates ) {
			update_option( BasicGoogleMapsPlacemarks::PREFIX . 'map-latitude',  $coordinates['latitude']  );
			update_option( BasicGoogleMapsPlacemarks::PREFIX . 'map-longitude', $coordinates['longitude'] );
		} else {
			// @todo - can't call protected from this class - $this->bgmp->enqueueMessage('That address couldn\'t be geocoded, please make sure that it\'s correct.', 'error' );

			update_option( BasicGoogleMapsPlacemarks::PREFIX . 'map-latitude',  '' );    // @todo - update these
			update_option( BasicGoogleMapsPlacemarks::PREFIX . 'map-longitude', '' );
		}
	}
}

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/basic-google-maps-placemarks/1.10.7/settings.php /home/deploy/wp-safety.org/data/plugin-versions/basic-google-maps-placemarks/1.10.8/settings.php
--- /home/deploy/wp-safety.org/data/plugin-versions/basic-google-maps-placemarks/1.10.7/settings.php	2016-08-19 21:14:56.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/basic-google-maps-placemarks/1.10.8/settings.php	2026-03-31 19:07:00.000000000 +0000
@@ -78,6 +78,14 @@
 			// @todo - this could be done during a settings validation callback?
 			global $bgmp;
 
+			if ( ! current_user_can( 'manage_options' ) ) {
+				return;
+			}
+
+			if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( $_POST['_wpnonce'], BasicGoogleMapsPlacemarks::PREFIX . 'settings-options' ) ) {
+				return;
+			}
+
 			$haveCoordinates = true;
 
 			if ( isset( $_POST[ BasicGoogleMapsPlacemarks::PREFIX . 'map-address' ] ) ) {

Exploit Outline

The exploit is achieved by sending an unauthenticated POST request to any URL on the WordPress site (as the vulnerable code is hooked to 'init'). The attacker provides a POST parameter 'bgmp_map-address' containing a geographic location (e.g., 'New York, NY'). The plugin's 'updateMapCoordinates' function detects this parameter, geocodes the address, and updates the 'bgmp_map-latitude' and 'bgmp_map-longitude' WordPress options. No nonces or user authentication are required to trigger this update. Additionally, providing an ungeocodeable address allows an attacker to clear the stored coordinates, effectively breaking the map on the frontend.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/b8a2bbfe-eb87-4e26-ba20-bc406d681124?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database