WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters < 4.9.3 - Authenticated (Subscriber+) Local File Inclusion
Description
The WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in versions up to 4.9.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HTechnical Details
<4.9.3What Changed in the Fix
Changes introduced in v4.9.3
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-6381 (WP Maps LFI) This plan outlines the steps to verify and exploit a Local File Inclusion (LFI) vulnerability in the **WP Maps** WordPress plugin (versions < 4.9.3). ## 1. Vulnerability Summary - **Vulnerability:** Authenticated (Subscriber+) Local File I…
Show full research plan
Exploitation Research Plan - CVE-2026-6381 (WP Maps LFI)
This plan outlines the steps to verify and exploit a Local File Inclusion (LFI) vulnerability in the WP Maps WordPress plugin (versions < 4.9.3).
1. Vulnerability Summary
- Vulnerability: Authenticated (Subscriber+) Local File Inclusion (LFI).
- Vulnerable Component: The
fc_load_templatefunction in theFlipperCode_Initialise_Coreclass. - File Path:
core/class.initiate-core.php. - Cause: The plugin takes user-controlled input (
template_type) and concatenates it into a file path used in aninclude_oncestatement. Whiletemplate_nameis passed throughsanitize_file_name(), thetemplate_typeparameter is only passed throughsanitize_text_field(), which does not prevent directory traversal sequences (../).
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php. - AJAX Action:
core_templates(registered viawp_ajax_core_templateshook). - Authentication: Required (Subscriber-level or higher).
- Vulnerable Parameters:
template_type: Used for path traversal.template_name: Used to specify the file and directory name (must be a directory containing a file of the
Summary
The WP Maps plugin for WordPress is vulnerable to Local File Inclusion in versions up to 4.9.3. Authenticated attackers with Subscriber-level access can manipulate the 'template_type' parameter via directory traversal to include arbitrary PHP files, allowing for remote code execution.
Vulnerable Code
// core/class.initiate-core.php:49 $template = sanitize_file_name($data['template_name']); $template_type = sanitize_text_field($data['template_type']); if ( isset( $data['template_name'] ) ) { $layout_file = $core_dir_path . 'templates/' . $template_type . '/' . $template . '/' . $template . '.html'; $layout_url = $core_dir_url . 'templates/' . $template_type . '/' . $template . '/' . $template . '.html'; ob_start(); include_once $layout_file; $content = ob_get_contents(); ob_clean(); }
Security Fix
@@ -52,7 +52,7 @@ $template = sanitize_file_name($data['template_name']); - $template_type = sanitize_text_field($data['template_type']); + $template_type = sanitize_file_name($data['template_type']); if ( isset( $data['template_name'] ) ) { $layout_file = $core_dir_path . 'templates/' . $template_type . '/' . $template . '/' . $template . '.html';
Exploit Outline
1. Authenticate as a Subscriber-level user and extract the 'fc-call-nonce' from the 'wpgmp_local' object in the page source. 2. Upload a file containing PHP code formatted as '[name].html' inside a folder named '[name]' (e.g., via a zip file or media library) so it resides on the server. 3. Trigger the vulnerability by sending a POST request to '/wp-admin/admin-ajax.php' with 'action=core_templates'. 4. In the request, set 'template_type' to a directory traversal path pointing to the parent directory of your payload (e.g., '../../../../wp-content/uploads/2026/01/'). 5. Set 'template_name' to the name used in your folder structure (e.g., 'payload'). The plugin will resolve the path and execute the file via 'include_once'.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.