Cyber Resilience

CVE-2026-3222

High

Published: 11 March 2026

Published
11 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0024 46.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3222 is a high-severity SQL Injection (CWE-89) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-3222 is a time-based blind SQL injection vulnerability (CWE-89) in the WP Maps plugin for WordPress, affecting all versions up to and including 4.9.1. The flaw stems from the plugin's database abstraction layer, specifically the FlipperCode_Model_Base::is_column() method, which treats user input wrapped in backticks as legitimate column names and bypasses the esc_sql() escaping function. Compounding this, the wpgmp_ajax_call AJAX handler—registered for unauthenticated users via wp_ajax_nopriv—permits calling arbitrary class methods, including wpgmp_return_final_capability, which injects the unsanitized 'location_id' GET parameter directly into database queries.

Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). By crafting the 'location_id' parameter with backtick-wrapped payloads, attackers can append malicious SQL queries to existing ones, enabling time-based blind SQL injection to extract sensitive information from the database.

The provided references point to vulnerable code locations in the WP Google Map Plugin's source on the WordPress plugins trac repository, including lines in core/class.model.php (e.g., #328) and wp-google-map-plugin.php (e.g., #250, #590) for tag 4.9.1 and the trunk branch. No specific advisories or patches are detailed in the available information.

EU & UK References

Vulnerability details

The WP Maps plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'location_id' parameter in all versions up to, and including, 4.9.1. This is due to the plugin's database abstraction layer (`FlipperCode_Model_Base::is_column()`) treating user input wrapped in…

more

backticks as column names, bypassing the `esc_sql()` escaping function. Additionally, the `wpgmp_ajax_call` AJAX handler (registered for unauthenticated users via `wp_ajax_nopriv`) allows calling arbitrary class methods including `wpgmp_return_final_capability`, which passes the unsanitized `location_id` GET parameter directly to a database query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated blind SQLi in public WordPress plugin directly enables T1190 (Exploit Public-Facing Application) for database data extraction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89
CVE-2026-33078Shared CWE-89
CVE-2026-46359Shared CWE-89
CVE-2025-22691Shared CWE-89

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of the unsanitized 'location_id' parameter to block SQL injection payloads before they reach database queries.

prevent

Mandates timely remediation of the specific SQL injection flaw in the WP Maps plugin's database abstraction layer and AJAX handler.

prevent

Boundary protection at web interfaces can deploy web application firewalls to inspect and block malicious SQL payloads in unauthenticated AJAX requests.

References