CVE-2026-3222
Published: 11 March 2026
Summary
CVE-2026-3222 is a high-severity SQL Injection (CWE-89) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-3222 is a time-based blind SQL injection vulnerability (CWE-89) in the WP Maps plugin for WordPress, affecting all versions up to and including 4.9.1. The flaw stems from the plugin's database abstraction layer, specifically the FlipperCode_Model_Base::is_column() method, which treats user input wrapped in backticks as legitimate column names and bypasses the esc_sql() escaping function. Compounding this, the wpgmp_ajax_call AJAX handler—registered for unauthenticated users via wp_ajax_nopriv—permits calling arbitrary class methods, including wpgmp_return_final_capability, which injects the unsanitized 'location_id' GET parameter directly into database queries.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). By crafting the 'location_id' parameter with backtick-wrapped payloads, attackers can append malicious SQL queries to existing ones, enabling time-based blind SQL injection to extract sensitive information from the database.
The provided references point to vulnerable code locations in the WP Google Map Plugin's source on the WordPress plugins trac repository, including lines in core/class.model.php (e.g., #328) and wp-google-map-plugin.php (e.g., #250, #590) for tag 4.9.1 and the trunk branch. No specific advisories or patches are detailed in the available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11103
Vulnerability details
The WP Maps plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'location_id' parameter in all versions up to, and including, 4.9.1. This is due to the plugin's database abstraction layer (`FlipperCode_Model_Base::is_column()`) treating user input wrapped in…
more
backticks as column names, bypassing the `esc_sql()` escaping function. Additionally, the `wpgmp_ajax_call` AJAX handler (registered for unauthenticated users via `wp_ajax_nopriv`) allows calling arbitrary class methods including `wpgmp_return_final_capability`, which passes the unsanitized `location_id` GET parameter directly to a database query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated blind SQLi in public WordPress plugin directly enables T1190 (Exploit Public-Facing Application) for database data extraction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of the unsanitized 'location_id' parameter to block SQL injection payloads before they reach database queries.
Mandates timely remediation of the specific SQL injection flaw in the WP Maps plugin's database abstraction layer and AJAX handler.
Boundary protection at web interfaces can deploy web application firewalls to inspect and block malicious SQL payloads in unauthenticated AJAX requests.