[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fR6ukdCSBYMhC5w8ft3ms_kM7ldhsCrmOVZA7xg5jWWQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-12238","wp-go-maps-unauthenticated-arbitrary-record-creation","WP Go Maps \u003C= 10.1.01 - Unauthenticated Arbitrary Record Creation","The WP Go Maps – Most Popular Map Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 10.1.01. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to create arbitrary records in plugin database tables (maps, markers, circles, polygons, polylines, rectangles, and point labels) by supplying a WPGMZA-namespaced CRUD-backed class name via the phpClass parameter. The namespace validation check (requiring the 'WPGMZA' prefix) does not prevent exploitation because classes such as WPGMZA\\Map and WPGMZA\\Marker satisfy it while still triggering an INSERT into the corresponding plugin table before the route rejects the request.","wp-google-maps",null,"\u003C=10.1.01","10.1.02","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-19 06:01:56","2026-06-19 18:32:05",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc51c6cfb-9a79-4190-87ff-7eddb866ae56?source=api-prod",1,[22,23,24,25,26,27,28,29],"html\u002Fatlas-major\u002Fcredits.html.php","html\u002Fatlas-novus\u002Fcredits.html.php","includes\u002Fclass.rest-api.php","js\u002Fv8\u002Ftables\u002Fdatatable.js","js\u002Fv8\u002Fwp-google-maps.combined.js","js\u002Fv8\u002Fwp-google-maps.min.js","js\u002Fv8\u002Fwp-google-maps.min.js.map","readme.txt","researched",false,3,"# Exploitation Research Plan - CVE-2026-12238\n\n## 1. Vulnerability Summary\nThe **WP Go Maps** plugin (up to 10.1.01) is vulnerable to **Unauthenticated Arbitrary Record Creation**. This is due to an authorization bypass in the REST API handling of the `phpClass` parameter. The plugin attempts to validate that the requested class belongs to the `WPGMZA` namespace but fails to restrict which classes can be instantiated. \n\nWhen a user provides a CRUD-backed class name (like `WPGMZA\\Marker` or `WPGMZA\\Map`), the plugin's REST API controller instantiates the class. In these specific versions, the instantiation of certain CRUD classes triggers a database `INSERT` operation using the provided request parameters before the REST route's logic actually validates the user's permissions to perform that action.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-json\u002Fwpgmza\u002Fv1\u002Fdatatables` (or any route using the `phpClass` parameter).\n- **HTTP Method:** `POST` (or `GET` via compressed path variables).\n- **Vulnerable Parameter:** `phpClass`.\n- **Authentication:** Unauthenticated.\n- **Preconditions:** The `datatables` route is explicitly exempted from nonce checks in `includes\u002Fclass.rest-api.php`.\n\n## 3. Code Flow\n1. **Entry Point:** The request hits `wp-json\u002Fwpgmza\u002Fv1\u002Fdatatables`.\n2. **Route Registration:** In `includes\u002Fclass.rest-api.php`, the `registerRoute` method defines the `datatables` route. It adds a check that sets `$doActionNonceCheck = false` for the `datatables` route, allowing unauthenticated access.\n3. **Parameter Parsing:** `RestAPI::getRequestParameters()` parses the input.\n4. **Vulnerable Logic:** The REST callback (likely in `includes\u002Fclass.rest-api.php` or a related controller) retrieves the `phpClass` parameter.\n5. **Validation:** The code checks if the class starts with `WPGMZA\\`.\n6. **Instantiation:** The plugin instantiates the class: `$instance = new $phpClass($_POST);` (or similar).\n7. **Sink:** The constructor of `WPGMZA\\CRUD` (the parent of `Marker`, `Map`, etc.) identifies that no ID was provided and uses the passed data to create a new record in the database.\n8. **Rejection:** The REST route callback may eventually return a 403 or 401, but the `INSERT` has already been committed to the database.\n\n## 4. Nonce Acquisition Strategy\nThe `datatables` route is specifically designed to skip nonce checks in this version. \nIn `includes\u002Fclass.rest-api.php`:\n```php\n$skipNonceRoutes = array('features', 'markers', 'marker-listing', 'datatables');\nif(in_array(str_replace('\u002F', '', $route), $skipNonceRoutes)){\n    $doActionNonceCheck = false;\n}\n```\n**Conclusion:** No nonce is required for this specific exploit.\n\n## 5. Exploitation Strategy\nWe will use the `http_request` tool to send a `POST` request to the `datatables` endpoint, supplying `WPGMZA\\Marker` as the `phpClass`.\n\n### Step-by-Step Payload\n- **Target URL:** `[TARGET_URL]\u002Fwp-json\u002Fwpgmza\u002Fv1\u002Fdatatables`\n- **Method:** `POST`\n- **Content-Type:** `application\u002Fx-www-form-urlencoded`\n- **Payload Parameters:**\n    - `phpClass`: `WPGMZA\\Marker`\n    - `map_id`: `1` (Default map ID)\n    - `address`: `Exploit Address`\n    - `title`: `Exploit Marker`\n    - `lat`: `40.7128`\n    - `lng`: `-74.0060`\n\n### Expected Response\nThe server might return a `403 Forbidden` or a JSON error message, but the side effect (record creation) will have occurred.\n\n## 6. Test Data Setup\n1. **Verify Plugin:** Ensure WP Go Maps \u003C= 10.1.01 is active.\n2. **Default Map:** Ensure at least one map exists (Map ID 1 is standard).\n   ```bash\n   wp wpgmza create-map --title=\"Test Map\"\n   ```\n3. **Placement:** No shortcodes are strictly necessary for the exploit itself since nonces are skipped, but placing `[wpgmza id=\"1\"]` on a page can help verify the marker appears visually later.\n\n## 7. Expected Results\n- The HTTP response status may be `403` or `200` (depending on the specific REST controller's error handling).\n- A new record should be present in the `wp_wpgmza` (or `wp_wpgmza_markers`) table.\n\n## 8. Verification Steps\nAfter the exploit, use WP-CLI to check the database for the new marker:\n```bash\n# Check for markers with the 'Exploit Marker' title\nwp db query \"SELECT * FROM \\$(wp db prefix)wpgmza WHERE title='Exploit Marker';\"\n\n# Alternatively, if using the v8+ naming convention:\nwp db query \"SELECT * FROM \\$(wp db prefix)wpgmza_markers WHERE title='Exploit Marker';\"\n```\n\n## 9. Alternative Approaches\nIf the `datatables` route is hardened in the specific environment, try the `markers` route or `features` route, as they also skip nonce checks:\n- **Endpoint:** `\u002Fwp-json\u002Fwpgmza\u002Fv1\u002Fmarkers`\n- **Endpoint:** `\u002Fwp-json\u002Fwpgmza\u002Fv1\u002Ffeatures`\n\nIf the application requires the compressed format (as seen in `RestAPI::parseCompressedParameters`), the payload would need to be JSON-encoded, zlib-compressed, and base64-encoded, then passed as a path variable:\n`GET \u002Fwp-json\u002Fwpgmza\u002Fv1\u002Fdatatables\u002Fbase64[COMPRESSED_DATA]`","The WP Go Maps plugin is vulnerable to unauthenticated arbitrary record creation due to a missing authorization check on the `datatables` REST API route. Attackers can specify a CRUD-backed class (like WPGMZA\\Marker) via the `phpClass` parameter, causing the plugin to instantiate the class and insert a new record into the database before permission checks are applied.","\u002F\u002F includes\u002Fclass.rest-api.php:1118\n$skipNonceRoutes = array('features', 'markers', 'marker-listing', 'datatables');\nif(in_array(str_replace('\u002F', '', $route), $skipNonceRoutes)){\n    $doActionNonceCheck = false;\n}\n\n---\n\n\u002F\u002F includes\u002Fclass.rest-api.php:1173 (approximate)\nif((class_exists('\\\\WPGMZA\\\\MarkerListing') && $reflection->isSubclassOf('\\\\WPGMZA\\\\MarkerListing'))\n    || (class_exists('\\\\WPGMZA\\\\MarkerListing\\\\AdvancedTable') && ($class == '\\\\WPGMZA\\\\MarkerListing\\\\AdvancedTable' || $reflection->isSubclassOf('\\\\WPGMZA\\\\MarkerListing\\\\AdvancedTable')))){\n\n    $map_id = $request['map_id'];\n    $instance = $class::createInstance($map_id);\n} else {\n    $instance = $class::createInstance();\n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-google-maps\u002F10.1.01\u002Fincludes\u002Fclass.rest-api.php\t2026-06-10 08:37:38.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-google-maps\u002F10.1.02\u002Fincludes\u002Fclass.rest-api.php\t2026-06-15 09:36:06.000000000 +0000\n@@ -1170,15 +1170,19 @@\n \t\t\treturn new \\WP_Error('wpgmza_invalid_datatable_class', 'Invalid class specified', array('status' => 403));\n \t\t}\n \t\t\n-\t\tif((class_exists('\\\\WPGMZA\\\\MarkerListing') && $reflection->isSubclassOf('\\\\WPGMZA\\\\MarkerListing'))\n-\t\t\t|| (class_exists('\\\\WPGMZA\\\\MarkerListing\\\\AdvancedTable') && ($class == '\\\\WPGMZA\\\\MarkerListing\\\\AdvancedTable' || $reflection->isSubclassOf('\\\\WPGMZA\\\\MarkerListing\\\\AdvancedTable')))){\n+\t\t$isMarkerListingSubclass = (class_exists('\\\\WPGMZA\\\\MarkerListing') && $reflection->isSubclassOf('\\\\WPGMZA\\\\MarkerListing'))\n+\t\t\t|| (class_exists('\\\\WPGMZA\\\\MarkerListing\\\\AdvancedTable') && ($class == '\\\\WPGMZA\\\\MarkerListing\\\\AdvancedTable' || $reflection->isSubclassOf('\\\\WPGMZA\\\\MarkerListing\\\\AdvancedTable')));\n \n+\t\tif(!$reflection->isSubclassOf('\\\\WPGMZA\\\\DataTable') && !$isMarkerListingSubclass)\n+\t\t\treturn new \\WP_Error('wpgmza_invalid_datatable_class', 'Specified PHP class must extend WPGMZA\\\\DataTable', array('status' => 403));\n+\n+\t\tif($isMarkerListingSubclass){\n \t\t\t$map_id = $request['map_id'];\n \t\t\t$instance = $class::createInstance($map_id);\n \t\t} else {\n \t\t\t$instance = $class::createInstance();\n \t\t}\n-\t\t\n+\n \t\tif(!($instance instanceof DataTable))\n \t\t\treturn new \\WP_Error('wpgmza_invalid_datatable_class', 'Specified PHP class must extend WPGMZA\\\\DataTable', array('status' => 403));","To exploit this vulnerability, an attacker sends a POST request to the `\u002Fwp-json\u002Fwpgmza\u002Fv1\u002Fdatatables` endpoint. This specific route is explicitly exempted from nonce and authorization checks in the vulnerable versions. The attacker includes the `phpClass` parameter set to a CRUD-backed class such as `WPGMZA\\Marker`, `WPGMZA\\Map`, or `WPGMZA\\Circle`. Along with the class name, the attacker provides the necessary database fields (e.g., `title`, `lat`, `lng`, `map_id`) in the request body. When the REST API controller instantiates the requested class via its factory pattern, the parent `CRUD` constructor identifies that no existing ID is present and automatically inserts the provided data into the corresponding database table. The record is committed even if the REST API eventually returns an error for other reasons.","gemini-3-flash-preview","2026-06-25 20:08:03","2026-06-25 20:09:02",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","10.1.01","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-google-maps\u002Ftags\u002F10.1.01","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-google-maps.10.1.01.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-google-maps\u002Ftags\u002F10.1.02","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-google-maps.10.1.02.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-google-maps\u002Ftags"]