CVE-2026-3222 – The WP Maps WordPress plugin contains a SQL inj... (How to Fix)

Q: What is the severity of CVE-2026-3222?

CVE-2026-3222 has a CVSS score of 7.5 (HIGH). The WP Maps WordPress plugin contains a SQL injection vulnerability that allows unauthenticated attackers to extract sensitive data from the database. Attackers can exploit this by sending specially crafted requests to the vulnerable AJAX endpoint. All WordPress sites using WP Maps version 4.9.1 or earlier are affected.

📋 TL;DR

The WP Maps WordPress plugin contains a SQL injection vulnerability that allows unauthenticated attackers to extract sensitive data from the database. Attackers can exploit this by sending specially crafted requests to the vulnerable AJAX endpoint. All WordPress sites using WP Maps version 4.9.1 or earlier are affected.

💻 Affected Systems

Products:

WP Maps (WP Google Map Plugin) for WordPress

Versions: All versions up to and including 4.9.1

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with the vulnerable plugin version are affected regardless of configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including user credentials, sensitive content, and potentially administrative access to the WordPress site.

🟠

Likely Case

Extraction of sensitive data such as user information, passwords (hashed), and private content from the database.

🟢

If Mitigated

Limited information disclosure if database permissions are properly restricted and sensitive data is encrypted.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable by unauthenticated users via public AJAX endpoints.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this, but external exposure is the primary concern.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit via HTTP requests to the AJAX endpoint with SQL injection payloads in the location_id parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.9.2 or later

Vendor Advisory: https://wordpress.org/plugins/wp-google-map-plugin/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WP Google Map Plugin'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 4.9.2+ from WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable AJAX endpoint

all

Remove the unauthenticated AJAX handler registration to prevent exploitation

Edit wp-google-map-plugin.php and comment out line 590: add_action('wp_ajax_nopriv_wpgmp_ajax_call', array($this, 'wpgmp_ajax_call'));

Web Application Firewall rule

all

Block requests containing SQL injection patterns targeting the wpgmp_ajax_call endpoint

WAF rule: Block if URI contains 'admin-ajax.php' AND parameters contain SQL keywords AND referer contains 'wpgmp_ajax_call'

🧯 If You Can't Patch

Disable the WP Maps plugin entirely until patched
Implement network-level blocking of requests to /wp-admin/admin-ajax.php containing suspicious SQL patterns

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for WP Google Map Plugin version 4.9.1 or earlier

Check Version:

wp plugin list --name='wp-google-map-plugin' --field=version (if WP-CLI installed)

Verify Fix Applied:

Verify plugin version is 4.9.2 or later in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /wp-admin/admin-ajax.php with action=wpgmp_ajax_call
Requests containing SQL keywords (UNION, SELECT, SLEEP, etc.) in GET parameters
Unusual database query patterns from WordPress application

Network Indicators:

HTTP requests to /wp-admin/admin-ajax.php with SQL injection payloads
Unusual outbound database connections from web server

SIEM Query:

source="web_access.log" AND uri="/wp-admin/admin-ajax.php" AND (params="*wpgmp_ajax_call*" OR params="*location_id=*UNION*" OR params="*location_id=*SLEEP*")

📊 Metadata

CVE ID: CVE-2026-3222

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

Published: March 11, 2026

Last Updated: March 11, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-3222, you might also want to check these: