CVE-2026-6381

WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters < 4.9.3 - Authenticated (Subscriber+) Local File Inclusion

highImproper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
7.5
CVSS Score
7.5
CVSS Score
high
Severity
4.9.3
Patched in
5d
Time to patch

Description

The WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in versions up to 4.9.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<4.9.3
PublishedJune 11, 2026
Last updatedJune 15, 2026
Affected pluginwp-google-map-plugin

What Changed in the Fix

Changes introduced in v4.9.3

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-6381 (WP Maps LFI) This plan outlines the steps to verify and exploit a Local File Inclusion (LFI) vulnerability in the **WP Maps** WordPress plugin (versions < 4.9.3). ## 1. Vulnerability Summary - **Vulnerability:** Authenticated (Subscriber+) Local File I…

Show full research plan

Exploitation Research Plan - CVE-2026-6381 (WP Maps LFI)

This plan outlines the steps to verify and exploit a Local File Inclusion (LFI) vulnerability in the WP Maps WordPress plugin (versions < 4.9.3).

1. Vulnerability Summary

  • Vulnerability: Authenticated (Subscriber+) Local File Inclusion (LFI).
  • Vulnerable Component: The fc_load_template function in the FlipperCode_Initialise_Core class.
  • File Path: core/class.initiate-core.php.
  • Cause: The plugin takes user-controlled input (template_type) and concatenates it into a file path used in an include_once statement. While template_name is passed through sanitize_file_name(), the template_type parameter is only passed through sanitize_text_field(), which does not prevent directory traversal sequences (../).

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php.
  • AJAX Action: core_templates (registered via wp_ajax_core_templates hook).
  • Authentication: Required (Subscriber-level or higher).
  • Vulnerable Parameters:
    • template_type: Used for path traversal.
    • template_name: Used to specify the file and directory name (must be a directory containing a file of the
Research Findings
Static analysis — not yet PoC-verified

Summary

The WP Maps plugin for WordPress is vulnerable to Local File Inclusion in versions up to 4.9.3. Authenticated attackers with Subscriber-level access can manipulate the 'template_type' parameter via directory traversal to include arbitrary PHP files, allowing for remote code execution.

Vulnerable Code

// core/class.initiate-core.php:49

$template      = sanitize_file_name($data['template_name']);
$template_type = sanitize_text_field($data['template_type']);

if ( isset( $data['template_name'] ) ) {
    $layout_file = $core_dir_path . 'templates/' . $template_type . '/' . $template . '/' . $template . '.html';
    $layout_url  = $core_dir_url . 'templates/' . $template_type . '/' . $template . '/' . $template . '.html';
    ob_start();
    include_once $layout_file;
    $content = ob_get_contents();
    ob_clean();
}

Security Fix

--- core/class.initiate-core.php
+++ core/class.initiate-core.php
@@ -52,7 +52,7 @@
 
 
 			$template      = sanitize_file_name($data['template_name']);
-			$template_type = sanitize_text_field($data['template_type']);
+			$template_type = sanitize_file_name($data['template_type']);
 
 			if ( isset( $data['template_name'] ) ) {
 				$layout_file = $core_dir_path . 'templates/' . $template_type . '/' . $template . '/' . $template . '.html';

Exploit Outline

1. Authenticate as a Subscriber-level user and extract the 'fc-call-nonce' from the 'wpgmp_local' object in the page source. 2. Upload a file containing PHP code formatted as '[name].html' inside a folder named '[name]' (e.g., via a zip file or media library) so it resides on the server. 3. Trigger the vulnerability by sending a POST request to '/wp-admin/admin-ajax.php' with 'action=core_templates'. 4. In the request, set 'template_type' to a directory traversal path pointing to the parent directory of your payload (e.g., '../../../../wp-content/uploads/2026/01/'). 5. Set 'template_name' to the name used in your folder structure (e.g., 'payload'). The plugin will resolve the path and execute the file via 'include_once'.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.