PatchSiren cyber security CVE debrief
CVE-2026-8386 WP Go Maps CVE debrief
The WP Go Maps WordPress plugin before version 10.0.10 has an information disclosure vulnerability. This vulnerability exists in its public single-marker REST endpoint, where it fails to perform approval-state filtering. As a result, unauthenticated users can retrieve marker records that have not been approved for public display by an administrator. This includes personally identifiable information (PII) such as addresses and descriptions, as well as geographic coordinates of the markers.
- Vendor
- WP Go Maps
- Product
- WP Go Maps WordPress plugin
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of the WP Go Maps WordPress plugin, especially those who use the plugin to display sensitive or private locations, should be aware of this vulnerability. Site administrators who have not updated to version 10.0.10 or later are at risk.
Technical summary
The vulnerability is due to a lack of filtering by approval status in the public single-marker REST endpoint of the WP Go Maps plugin. This allows unauthorized access to marker records, potentially exposing sensitive information.
Defensive priority
High
Recommended defensive actions
- Update the WP Go Maps plugin to version 10.0.10 or later.
- Review and approve all marker records currently in use.
- Consider restricting access to sensitive marker information until approval.
Evidence notes
Evidence of this vulnerability was provided by WPScan, a well-known WordPress vulnerability database.
Official resources
-
CVE-2026-8386 CVE record
CVE.org
-
CVE-2026-8386 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-8386 was published on 2026-06-15T08:16:22.007Z and has not been modified since its publication.