A high-severity SQL Injection vulnerability in the WP Maps plugin for WordPress allows attackers to extract sensitive information from the site's database.

The plugin is vulnerable to time-based SQL Injection through the orderby parameter. This occurs because the plugin fails to properly sanitize user-supplied input before using it in a database query, allowing a remote attacker to infer data by observing the time the server takes to respond.

An attacker can use this vulnerability to extract sensitive information from the WordPress database, including user credentials, configuration details, and customer information. This leads to a loss of confidentiality and can serve as a stepping stone for a full site takeover. The CVSS score of 7.5 reflects this significant risk.

Immediate Action: Update the WP Maps plugin to the latest version immediately to resolve the SQL injection flaw.

Proactive Monitoring: Review database logs for unusual time-delay queries and monitor for unauthorized access to administrative accounts.

Compensating Controls: Enable a Web Application Firewall (WAF) with SQL injection protection rules to mitigate exploitation attempts while waiting for a patch window.

Public Exploit Available: false

Applying the vendor's patch is the only effective way to remediate this vulnerability. Organizations should prioritize this update to protect their database integrity and prevent sensitive data leakage.