[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ffpvc31ycGq_6jh6awsSpA84ha5sl1T6OKMB0kTHVeHs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"source_links":38},"CVE-2026-3581","basic-google-maps-placemarks-missing-authorization-to-unauthenticated-default-map-coordinate-update","Basic Google Maps Placemarks \u003C= 1.10.7 - Missing Authorization to Unauthenticated Default Map Coordinate Update","The Basic Google Maps Placemarks plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.10.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to modify stored map latitude and longitude options.","basic-google-maps-placemarks",null,"\u003C=1.10.7","1.10.8","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-15 16:47:25","2026-04-16 05:29:56",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb8a2bbfe-eb87-4e26-ba20-bc406d681124?source=api-prod",1,[22,23,24,25,26],"basic-google-maps-placemarks.php","core.php","docs\u002FTODO.txt","readme.txt","settings.php","researched",false,3,"# Vulnerability Research Plan: CVE-2026-3581\n\n## 1. Vulnerability Summary\nThe **Basic Google Maps Placemarks** plugin (versions \u003C= 1.10.7) contains a missing authorization vulnerability that allows unauthenticated attackers to modify the stored default map coordinates (latitude and longitude). The flaw exists in the `BGMPSettings::updateMapCoordinates()` method, which is hooked to `init` and fails to perform any capability checks or nonce verification before updating core plugin settings based on `$_POST` data.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** Any WordPress URL (e.g., `\u002F`, `\u002Fwp-login.php`, or `\u002Fwp-admin\u002Fadmin-ajax.php`) because the vulnerable function is hooked to `init`.\n*   **HTTP Method:** `POST`\n*   **Vulnerable Parameter:** `bgmp_map-address`\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** The plugin must be active.\n*   **Mechanism:** The plugin attempts to \"helpfully\" update coordinates whenever the address is changed in settings. However, because it checks for the existence of `$_POST['bgmp_map-address']` on every request via the `init` hook, an attacker can trigger the update logic by simply providing that key in a POST request.\n\n## 3. Code Flow\n1.  **Entry Point:** `core.php` instantiates `BGMPSettings` in the `BasicGoogleMapsPlacemarks::__construct` method.\n2.  **Hook Registration:** In `settings.php`, the `BGMPSettings::__construct` method registers `updateMapCoordinates` to the `init` hook:\n    ```php\n    add_action( 'init', array( $this, 'updateMapCoordinates' ) );\n    ```\n3.  **Vulnerable Sink:** The `BGMPSettings::updateMapCoordinates()` method (in `settings.php`) checks for user input:\n    ```php\n    public function updateMapCoordinates() {\n        global $bgmp;\n        \u002F\u002F ...\n        if ( isset( $_POST[ BasicGoogleMapsPlacemarks::PREFIX . 'map-address' ] ) ) { \u002F\u002F PREFIX = 'bgmp_'\n            \u002F\u002F ... logic to geocode the address ...\n            if ( $haveCoordinates ) {\n                update_option( BasicGoogleMapsPlacemarks::PREFIX . 'map-latitude',  $coordinates['latitude']  );\n                update_option( BasicGoogleMapsPlacemarks::PREFIX . 'map-longitude', $coordinates['longitude'] );\n            }\n        }\n    }\n    ```\n4.  **Authorization Failure:** There are no calls to `current_user_can()`, `check_admin_referer()`, or `wp_verify_nonce()` before `update_option()` is called.\n\n## 4. Nonce Acquisition Strategy\n**No nonce is required for this exploit.** \n\nThe code in `BGMPSettings::updateMapCoordinates` lacks any nonce verification. It only checks for the presence of the `bgmp_map-address` key in the `$_POST` array.\n\n## 5. Exploitation Strategy\n1.  **Determine Current Settings:** (Optional) Use WP-CLI to check the current latitude and longitude to establish a baseline.\n2.  **Send Malicious Request:** Send an unauthenticated `POST` request to the WordPress home page with a new address.\n3.  **Payload:**\n    *   **URL:** `http:\u002F\u002Flocalhost:8888\u002F` (The root URL is sufficient).\n    *   **Method:** `POST`\n    *   **Body (Form-Encoded):** `bgmp_map-address=New+York,NY`\n4.  **Backend Processing:** The WordPress `init` hook triggers `updateMapCoordinates`. The plugin sees `$_POST['bgmp_map-address']`, geocodes \"New York, NY\", and updates the `bgmp_map-latitude` and `bgmp_map-longitude` options in the `wp_options` table.\n\n## 6. Test Data Setup\n1.  Install and activate the plugin: `wp plugin activate basic-google-maps-placemarks`.\n2.  Set an initial coordinate baseline:\n    ```bash\n    wp option update bgmp_map-latitude \"47.6062095\"\n    wp option update bgmp_map-longitude \"-122.3320708\"\n    ```\n\n## 7. Expected Results\n*   The server will return a standard 200 OK (or redirect) as the `init` hook executes and allows the page to load normally.\n*   The database options `bgmp_map-latitude` and `bgmp_map-longitude` will change from the baseline values to the coordinates of the injected address.\n\n## 8. Verification Steps\nAfter sending the HTTP request, verify the change using WP-CLI:\n```bash\n# Check updated latitude\nwp option get bgmp_map-latitude\n\n# Check updated longitude\nwp option get bgmp_map-longitude\n```\nFor \"New York, NY\", the latitude should be approximately `40.7127753` and longitude `-74.0059728`.\n\n## 9. Alternative Approaches\nIf the plugin cannot geocode the address (e.g., if a Google Maps API key is missing or invalid), the code follows this path:\n```php\nif ( $haveCoordinates ) {\n    \u002F\u002F ...\n} else {\n    update_option( BasicGoogleMapsPlacemarks::PREFIX . 'map-latitude',  '' );\n    update_option( BasicGoogleMapsPlacemarks::PREFIX . 'map-longitude', '' );\n}\n```\nIn this scenario, an attacker can effectively **wipe** the map coordinates by sending an empty address or a gibberish address that cannot be geocoded:\n*   **Payload:** `bgmp_map-address=non_existent_location_12345`\n*   **Expected Result:** `bgmp_map-latitude` and `bgmp_map-longitude` become empty strings, breaking the map display on the frontend.","The Basic Google Maps Placemarks plugin for WordPress (\u003C= 1.10.7) is vulnerable to unauthorized modification of map settings. The `updateMapCoordinates` method, hooked to the early `init` action, fails to perform capability checks or nonce verification, allowing unauthenticated attackers to update the global map latitude and longitude or wipe them entirely.","\u002F\u002F settings.php line 36\nadd_action( 'init',       array( $this, 'updateMapCoordinates' )    );\n\n---\n\n\u002F\u002F settings.php lines 71-102\npublic function updateMapCoordinates() {\n\t\u002F\u002F @todo - this could be done during a settings validation callback?\n\tglobal $bgmp;\n\n\t$haveCoordinates = true;\n\n\tif ( isset( $_POST[ BasicGoogleMapsPlacemarks::PREFIX . 'map-address' ] ) ) {\n\t\tif ( empty( $_POST[ BasicGoogleMapsPlacemarks::PREFIX . 'map-address' ] ) ) {\n\t\t\t$haveCoordinates = false;\n\t\t} else {\n\t\t\t$coordinates = $bgmp->geocode( $_POST[ BasicGoogleMapsPlacemarks::PREFIX . 'map-address' ] );\n\n\t\t\tif ( ! $coordinates ) {\n\t\t\t\t$haveCoordinates = false;\n\t\t\t}\n\t\t}\n\n\t\tif ( $haveCoordinates ) {\n\t\t\tupdate_option( BasicGoogleMapsPlacemarks::PREFIX . 'map-latitude',  $coordinates['latitude']  );\n\t\t\tupdate_option( BasicGoogleMapsPlacemarks::PREFIX . 'map-longitude', $coordinates['longitude'] );\n\t\t} else {\n\t\t\t\u002F\u002F @todo - can't call protected from this class - $this->bgmp->enqueueMessage('That address couldn\\'t be geocoded, please make sure that it\\'s correct.', 'error' );\n\n\t\t\tupdate_option( BasicGoogleMapsPlacemarks::PREFIX . 'map-latitude',  '' );    \u002F\u002F @todo - update these\n\t\t\tupdate_option( BasicGoogleMapsPlacemarks::PREFIX . 'map-longitude', '' );\n\t\t}\n\t}\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbasic-google-maps-placemarks\u002F1.10.7\u002Fsettings.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbasic-google-maps-placemarks\u002F1.10.8\u002Fsettings.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbasic-google-maps-placemarks\u002F1.10.7\u002Fsettings.php\t2016-08-19 21:14:56.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbasic-google-maps-placemarks\u002F1.10.8\u002Fsettings.php\t2026-03-31 19:07:00.000000000 +0000\n@@ -78,6 +78,14 @@\n \t\t\t\u002F\u002F @todo - this could be done during a settings validation callback?\n \t\t\tglobal $bgmp;\n \n+\t\t\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\t\t\treturn;\n+\t\t\t}\n+\n+\t\t\tif ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( $_POST['_wpnonce'], BasicGoogleMapsPlacemarks::PREFIX . 'settings-options' ) ) {\n+\t\t\t\treturn;\n+\t\t\t}\n+\n \t\t\t$haveCoordinates = true;\n \n \t\t\tif ( isset( $_POST[ BasicGoogleMapsPlacemarks::PREFIX . 'map-address' ] ) ) {","The exploit is achieved by sending an unauthenticated POST request to any URL on the WordPress site (as the vulnerable code is hooked to 'init'). The attacker provides a POST parameter 'bgmp_map-address' containing a geographic location (e.g., 'New York, NY'). The plugin's 'updateMapCoordinates' function detects this parameter, geocodes the address, and updates the 'bgmp_map-latitude' and 'bgmp_map-longitude' WordPress options. No nonces or user authentication are required to trigger this update. Additionally, providing an ungeocodeable address allows an attacker to clear the stored coordinates, effectively breaking the map on the frontend.","gemini-3-flash-preview","2026-04-16 15:25:45","2026-04-16 15:26:04",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","1.10.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbasic-google-maps-placemarks\u002Ftags\u002F1.10.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbasic-google-maps-placemarks.1.10.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbasic-google-maps-placemarks\u002Ftags\u002F1.10.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbasic-google-maps-placemarks.1.10.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbasic-google-maps-placemarks\u002Ftags"]