WP Maps WordPress Plugin Time-Based SQL Injection Vulnerability (CVE-2026-2580)
The WP Maps WordPress plugin before version 4.9.2 is vulnerable to time-based SQL Injection via the 'orderby' parameter, allowing unauthenticated attackers to extract sensitive information from the database.
The WP Maps – Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory & Filters plugin for WordPress, a widely used plugin for integrating map functionality into WordPress sites, contains a critical time-based SQL Injection vulnerability. Assigned CVE-2026-2580, this flaw affects all versions up to and including 4.9.1. The vulnerability lies within the ‘orderby’ parameter, where insufficient input sanitization allows unauthenticated attackers to inject malicious SQL queries. By…
Detection coverage 2
WP Maps Orderby SQL Injection Attempt
highDetects potential SQL injection attempts in the 'orderby' parameter of the WP Maps plugin.
WP Maps Orderby SQL Injection Attempt - Error Based
mediumDetects potential SQL injection attempts in the 'orderby' parameter of the WP Maps plugin using error based techniques.
Detection queries are kept inside the platform. Get full rules →