WordPress websites using the WP Maps plugin are at risk of sensitive data exposure and potential server compromise due to a high-severity Local File Inclusion vulnerability.

This vulnerability allows an attacker to exploit improper path validation to include local files from the server. Depending on the server configuration, this could allow an unauthenticated or low-privileged attacker to read sensitive files like wp-config.php, which contains database credentials.

A successful LFI attack can lead to the exposure of credentials, source code, and other sensitive system files. With a CVSS score of 8.8, this vulnerability poses a significant risk of data breach and can serve as a stepping stone for full server takeover if an attacker manages to execute code through log file poisoning.

Immediate Action: Update the WP Maps plugin to the latest version (version 4.1 or higher) immediately to resolve the file inclusion flaw.

Proactive Monitoring: Review web server access logs for requests containing directory traversal patterns (e.g., ../, ..%2f) targeting the plugin's directory.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block Local File Inclusion and directory traversal attacks.

Public Exploit Available: false

The 8.8 CVSS score reflects the high impact of this flaw on data confidentiality. Administrators must prioritize updating this plugin across all managed WordPress instances to prevent the disclosure of critical configuration files and database credentials.