CVE-2025-12062 Overview
CVE-2025-12062 is a Local File Inclusion (LFI) vulnerability affecting the WP Maps – Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory & Filters plugin for WordPress. The vulnerability exists in all versions up to and including 4.8.6 and is present in the fc_load_template function. This flaw allows authenticated attackers with Subscriber-level access or above to include and execute arbitrary .html files on the server, potentially leading to the execution of PHP code contained within those files.
Critical Impact
Authenticated attackers can bypass access controls, obtain sensitive data, or achieve remote code execution by uploading and including malicious .html files containing PHP code.
Affected Products
- WP Maps – Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory & Filters plugin for WordPress versions ≤ 4.8.6
Discovery Timeline
- 2026-02-17 - CVE-2025-12062 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2025-12062
Vulnerability Analysis
This Local File Inclusion vulnerability stems from improper input validation within the fc_load_template function of the WP Maps plugin. The function fails to adequately sanitize user-supplied input, allowing attackers to manipulate file paths and include arbitrary .html files from the server's filesystem. When these .html files contain embedded PHP code, the server will execute that code, effectively transforming a file inclusion issue into a code execution vulnerability.
The attack requires only Subscriber-level authentication, which is one of the lowest privilege levels in WordPress. Since many WordPress sites allow user registration with Subscriber access by default, the barrier to exploitation is relatively low for publicly accessible WordPress installations with this plugin installed.
Root Cause
The root cause is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal. The fc_load_template function does not properly validate or sanitize the file path parameter before including the specified file. This allows attackers to traverse directory structures and include files outside the intended template directory.
Attack Vector
The vulnerability is exploitable over the network and requires low-privilege authentication (Subscriber-level). An attacker can exploit this vulnerability through the following attack chain:
- The attacker authenticates to the WordPress site with at least Subscriber-level access
- The attacker uploads a malicious .html file containing PHP code (if the site allows such uploads) or identifies an existing .html file that can be manipulated
- The attacker crafts a request to the fc_load_template function with a manipulated file path parameter
- The function includes the malicious .html file, and any PHP code within is executed with the privileges of the web server
The vulnerability enables path traversal through the fc_load_template function, allowing inclusion of arbitrary .html files. When combined with file upload capabilities, attackers can achieve full remote code execution on the target server. See the Wordfence Vulnerability Report for additional technical details.
Detection Methods for CVE-2025-12062
Indicators of Compromise
- Unexpected HTTP requests to the WP Maps plugin endpoints containing path traversal sequences (e.g., ../, ..%2f)
- Web server logs showing access to the fc_load_template function with unusual file path parameters
- Newly created or modified .html files in unexpected directories containing PHP code
- Anomalous behavior from accounts with Subscriber-level access attempting to access plugin functionality
Detection Strategies
- Monitor web application firewall (WAF) logs for path traversal patterns targeting the WP Maps plugin
- Implement file integrity monitoring on the WordPress installation directory to detect unauthorized file modifications
- Review WordPress user activity logs for Subscriber-level accounts accessing plugin administrative functions
- Deploy runtime application self-protection (RASP) solutions to detect and block file inclusion attacks
Monitoring Recommendations
- Enable detailed logging for the WordPress WP Maps plugin and review logs regularly for suspicious activity
- Configure alerts for any file inclusion attempts containing directory traversal sequences
- Monitor for the creation or modification of .html files that contain PHP code blocks
- Set up automated scanning for known vulnerable versions of the WP Maps plugin across your WordPress deployments
How to Mitigate CVE-2025-12062
Immediate Actions Required
- Update the WP Maps plugin to a version newer than 4.8.6 immediately
- Review WordPress user accounts and remove unnecessary Subscriber-level access
- Audit recently modified or created .html files for embedded PHP code
- Implement a Web Application Firewall (WAF) rule to block path traversal attempts targeting the plugin
Patch Information
A patch addressing this vulnerability is available through the WordPress plugin repository. The fix can be reviewed in the WordPress Changeset Update. Site administrators should update to the latest version of the WP Maps plugin through the WordPress admin dashboard or by manually downloading from the WordPress plugin repository.
Workarounds
- If immediate patching is not possible, temporarily disable the WP Maps plugin until an update can be applied
- Restrict user registration on the WordPress site to prevent new Subscriber accounts from being created
- Implement server-level restrictions to prevent inclusion of files outside the intended template directory
- Configure .htaccess rules to block direct access to the vulnerable function endpoints
# Apache .htaccess rule to block path traversal attempts
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (\.\./|\.\.%2f) [NC,OR]
RewriteCond %{REQUEST_URI} (\.\./|\.\.%2f) [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
