A high-severity vulnerability has been identified in the OS DataHub Maps plugin for WordPress, assigned CVE-2026-1730. This flaw allows an attacker to upload arbitrary files, including malicious code, to an affected website due to improper file type validation. Successful exploitation could lead to a complete compromise of the website, enabling data theft, site defacement, or further attacks launched from the compromised server.

The vulnerability exists within the OS_DataHub_Maps_Admin::add_file_and_ext function of the plugin. The function fails to properly validate the types of files being uploaded, allowing an authenticated attacker (and potentially an unauthenticated one, depending on the plugin's configuration) to bypass security checks. By crafting a malicious request, an attacker can upload a file with a dangerous extension, such as a PHP web shell, to the server. Executing this uploaded file would grant the attacker remote code execution capabilities within the context of the web server, leading to a full system compromise.

This vulnerability is rated as High severity with a CVSS score of 8.8, posing a significant risk to the business. Successful exploitation could result in a complete takeover of the organization's WordPress site. Potential consequences include the theft of sensitive data such as customer information and user credentials, financial loss through compromised e-commerce functions, severe reputational damage from website defacement, and the use of the compromised server as a platform to attack other systems. This could also lead to regulatory penalties if sensitive data is breached.

Immediate Action: Immediately update the OS DataHub Maps plugin to the latest patched version provided by the vendor. If the plugin is not essential for business operations, consider deactivating and uninstalling it to eliminate the attack surface. After updating, review WordPress security settings to ensure file permissions and user roles are configured according to the principle of least privilege.

Proactive Monitoring: Monitor web server access logs for unusual POST requests to endpoints associated with the OS DataHub Maps plugin. Regularly scan the WordPress wp-content/uploads directory and other writable directories for suspicious or unexpected files (e.g., files with .php, .phtml, .sh extensions). Implement a file integrity monitoring (FIM) solution to alert on unauthorized changes to core WordPress files and plugins.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to inspect file uploads and block attempts to upload executable file types. Additionally, configure the web server to disallow script execution in the directories where files are uploaded, which can prevent a web shell from running even if successfully uploaded.

Public Exploit Available: false

Given the high CVSS score of 8.8 and the critical impact of remote code execution, this vulnerability requires immediate attention. We strongly recommend that all organizations using the OS DataHub Maps plugin apply the necessary updates without delay. Although this CVE is not currently listed on the CISA KEV list, its severity warrants treating it as a critical priority. Organizations should assume it will be targeted by attackers and act swiftly to mitigate the risk through patching or the compensating controls outlined above.