The WP Maps plugin contains a critical SQL injection vulnerability that allows unauthenticated attackers to access and exfiltrate sensitive database information.

The plugin fails to properly sanitize user-supplied parameters, allowing an unauthenticated attacker to execute arbitrary SQL commands against the backend database.

With a CVSS score of 9.3, this SQL injection vulnerability poses a severe threat to data confidentiality. Successful exploitation could allow unauthorized parties to bypass authentication and dump sensitive user data, configuration details, or credentials, leading to widespread data breaches.

Immediate Action: Update the WP Maps plugin to version 4.9.2 or later as soon as possible.

Proactive Monitoring: Monitor database query logs for anomalous activity, such as unexpected syntax errors or patterns indicative of SQL injection attempts.

Compensating Controls: Utilize a Web Application Firewall (WAF) to filter and block malicious SQL injection payloads directed at the application.

Public Exploit Available: False

Immediate patching is required to secure the database against unauthorized access. Failure to update may result in the exposure of sensitive organizational and user data.