CVE-2025-12062
📋 TL;DR
This vulnerability allows authenticated attackers with Subscriber-level access or higher to include and execute arbitrary .html files on WordPress servers running the WP Maps plugin. Attackers can execute PHP code through included .html files, potentially leading to data theft, access control bypass, or full server compromise. All WordPress sites using WP Maps plugin versions up to 4.8.6 are affected.
💻 Affected Systems
- WP Maps – Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory & Filters plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through remote code execution, data exfiltration, website defacement, and backdoor installation.
Likely Case
Unauthorized file access, privilege escalation, and limited code execution through uploaded .html files containing PHP code.
If Mitigated
Limited impact if file uploads are restricted and proper file type validation is implemented.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once attacker has Subscriber-level credentials. Public exploit details are available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.8.7 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3405282/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WP Maps' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 4.8.7+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Restrict .html file uploads
allPrevent upload of .html files through WordPress media uploader or other mechanisms
Add to wp-config.php: define('ALLOW_UNFILTERED_UPLOADS', false);
Use .htaccess to block .html uploads: <FilesMatch "\.html$">
Order Allow,Deny
Deny from all
</FilesMatch>
Remove Subscriber role access
allTemporarily disable Subscriber role or restrict plugin access to higher privilege roles only
Use WordPress role editor plugin to modify capabilities
Add to functions.php: remove_role('subscriber'); // Use with caution
🧯 If You Can't Patch
- Immediately disable the WP Maps plugin via WordPress admin or by renaming plugin directory
- Implement web application firewall rules to block requests to fc_load_template function
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for WP Maps version. If version is 4.8.6 or lower, system is vulnerable.Check Version:
wp plugin list --name="wp-maps" --field=version (if WP-CLI installed) or check WordPress admin interfaceVerify Fix Applied:
Confirm WP Maps plugin version is 4.8.7 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Multiple requests to fc_load_template function with .html file parameters
- Unauthorized file inclusion attempts in web server logs
- Unexpected .html file uploads followed by inclusion requests
Network Indicators:
- POST/GET requests containing 'fc_load_template' parameter with file paths
- Unusual file inclusion patterns from authenticated users
SIEM Query:
source="web_server_logs" AND (uri="*fc_load_template*" OR params="*fc_load_template*") AND (file_ext=".html" OR path="*.html")