WP Maps Plugin Local File Inclusion Vulnerability
Vulnerability
A local file inclusion vulnerability has been identified in the WP Maps – Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory & Filters plugin for WordPress, affecting all versions through 4.8.6. The vulnerability arises in the fc_load_template function, allowing authenticated attackers with Subscriber-level access and above to include and execute arbitrary .html files on the server. This exploitation could lead to the execution of PHP code contained in those files, potentially bypassing access controls, accessing sensitive data, or achieving code execution in scenarios where .html files can be uploaded and included.
Impact
Exploitation of this vulnerability could result in unauthorized access to sensitive data, bypassing of access controls, or execution of malicious code on the server, depending on the context and capabilities of the exploited .html files.
Remediation
Users are advised to update the WP Maps plugin to version 4.8.7 or a newer patched version.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.