CVE-2026-3222 Overview
The WP Maps plugin for WordPress is vulnerable to time-based blind SQL Injection via the location_id parameter in all versions up to, and including, 4.9.1. This vulnerability exists because the plugin's database abstraction layer (FlipperCode_Model_Base::is_column()) treats user input wrapped in backticks as column names, effectively bypassing the esc_sql() escaping function. Additionally, the wpgmp_ajax_call AJAX handler, which is registered for unauthenticated users via wp_ajax_nopriv, allows calling arbitrary class methods including wpgmp_return_final_capability. This method passes the unsanitized location_id GET parameter directly to a database query, enabling unauthenticated attackers to extract sensitive information from the database.
Critical Impact
Unauthenticated attackers can exploit this SQL Injection vulnerability to extract sensitive data from WordPress databases, including user credentials, configuration data, and potentially other site content without any authentication requirement.
Affected Products
- WP Maps plugin for WordPress versions up to and including 4.9.1
- WordPress installations using vulnerable WP Google Map Plugin versions
- Any WordPress site with the affected plugin activated
Discovery Timeline
- 2026-03-11 - CVE-2026-3222 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-3222
Vulnerability Analysis
This SQL Injection vulnerability demonstrates a sophisticated bypass of WordPress's built-in input sanitization mechanisms. The root issue lies in how the FlipperCode_Model_Base::is_column() function in class.model.php processes user-supplied input. When input is wrapped in backticks (the SQL identifier quote character), the function interprets it as a legitimate column name rather than a value requiring escaping. This architectural flaw allows attackers to inject malicious SQL statements that bypass the esc_sql() function, which WordPress developers typically rely upon for database query sanitization.
The attack surface is significantly expanded by the wpgmp_ajax_call AJAX handler implementation. Because this handler is registered using wp_ajax_nopriv, it is accessible to unauthenticated users. The handler exposes the ability to call arbitrary class methods, including wpgmp_return_final_capability, which directly incorporates the unsanitized location_id parameter into SQL queries. This creates a complete attack chain from unauthenticated access to database exfiltration.
Root Cause
The vulnerability stems from improper input validation and insufficient sanitization in the plugin's database abstraction layer. Specifically, the FlipperCode_Model_Base::is_column() function fails to properly validate input that contains backtick characters, treating such input as trusted column identifiers. Combined with the AJAX handler's registration for unauthenticated access and the direct use of unsanitized GET parameters in database queries, this creates an exploitable SQL Injection vulnerability. The failure to implement parameterized queries or prepared statements at the database layer compounds the issue.
Attack Vector
The attack leverages the network-accessible AJAX endpoint without requiring any authentication or user interaction. An attacker crafts a malicious HTTP request to the WordPress AJAX handler (admin-ajax.php) with the action parameter set to wpgmp_ajax_call. By manipulating the location_id GET parameter with time-based blind SQL injection payloads wrapped in backticks, the attacker can extract database contents character by character through timing analysis.
The time-based blind technique works by injecting SQL statements that cause the database to delay its response conditionally based on whether a comparison evaluates to true. By measuring response times, attackers can infer database contents without receiving direct query output, making this attack effective even when error messages are suppressed.
Detection Methods for CVE-2026-3222
Indicators of Compromise
- Unusual HTTP requests to admin-ajax.php containing wpgmp_ajax_call action with suspicious location_id parameters
- Log entries showing requests with SQL keywords (SLEEP, BENCHMARK, WAITFOR) in GET parameters
- Database query logs indicating unusual time-delayed queries originating from the WP Maps plugin
- Requests containing backtick characters or encoded variants (%60) in the location_id parameter
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in requests to WordPress AJAX endpoints
- Monitor for anomalous timing patterns in HTTP responses that may indicate time-based blind SQL injection attempts
- Enable WordPress database query logging and alert on queries containing time-delay functions
- Review access logs for automated scanning patterns targeting admin-ajax.php with wpgmp_ajax_call
Monitoring Recommendations
- Configure SIEM alerts for multiple requests to the vulnerable endpoint from single IP addresses
- Implement rate limiting on AJAX endpoints to slow down automated exploitation attempts
- Monitor database server performance metrics for unusual query execution times
- Deploy intrusion detection signatures targeting SQL injection payloads in WordPress AJAX requests
How to Mitigate CVE-2026-3222
Immediate Actions Required
- Update the WP Maps plugin to the latest patched version immediately
- If immediate patching is not possible, deactivate the WP Maps plugin until a patch can be applied
- Review database access logs for signs of exploitation
- Audit WordPress user accounts and database for unauthorized access or modifications
- Consider implementing a WAF rule to block requests containing SQL injection patterns in the location_id parameter
Patch Information
A security patch addressing this vulnerability has been released. The fix can be reviewed in the WordPress Changeset for class.model.php and WordPress Changeset for wp-google-map-plugin.php. Additionally, detailed vulnerability information is available in the Wordfence Vulnerability Report. Site administrators should update to the latest version of the WP Maps plugin through the WordPress plugin update mechanism.
Workarounds
- Disable the WP Maps plugin temporarily if patching cannot be performed immediately
- Implement a WAF rule to block requests to admin-ajax.php with action=wpgmp_ajax_call from unauthenticated users
- Restrict direct access to AJAX handlers at the web server level using .htaccess rules or nginx configuration
- Consider using a security plugin such as Wordfence to implement virtual patching until the official update is applied
# Apache .htaccess workaround to block vulnerable AJAX action
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} action=wpgmp_ajax_call [NC]
RewriteCond %{REQUEST_URI} admin-ajax\.php [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
