MEDIUM
rahulbhangale
CVE published 2026-06-09
CVE-2026-8907
CVE-2026-8907 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP-Ultimate-Map plugin for WordPress, affecting versions up to and including 1.1. The vulnerability is caused by missing nonce validation on the process_init() function, which saves plugin settings via update_option(). This allows unauthenticated attackers to change plugin settings and inject arbitrary web scripts by tricking a site [truncated]