PatchSiren cyber security CVE debrief
CVE-2026-6381 WP Maps CVE debrief
CVE-2026-6381 is a Local File Inclusion (LFI) vulnerability in the WP Maps WordPress plugin, affecting versions prior to 4.9.3. The vulnerability stems from improper sanitization of a user-supplied parameter used in file path construction, allowing authenticated attackers to include arbitrary files from the server's filesystem. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates network attack vector, high attack complexity, low privileges required, no user interaction, and high impacts to confidentiality, integrity, and availability. The vulnerability was published to NVD on 2026-05-18 and carries a HIGH severity rating with a CVSS score of 7.5. The weakness is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- WP Maps
- Product
- WP Maps WordPress plugin
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-18
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-18
- Advisory updated
- 2026-05-18
Who should care
WordPress site administrators using WP Maps plugin; security teams managing WordPress estates; web application security assessors; managed service providers hosting WordPress environments
Technical summary
The WP Maps plugin fails to sanitize a parameter before using it in a file path, enabling authenticated Local File Inclusion. Attackers with low-privilege accounts can potentially read sensitive files (wp-config.php, /etc/passwd) or achieve code execution through log file poisoning or PHP session file inclusion. The high attack complexity (AC:H) suggests exploitation may require specific conditions or multiple steps.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade WP Maps WordPress plugin to version 4.9.3 or later
- Review WordPress user accounts for unauthorized privilege escalation or suspicious file access patterns
- Implement Web Application Firewall (WAF) rules to detect and block path traversal sequences in plugin parameters
- Enable comprehensive logging for file inclusion operations in WordPress environments
- Conduct code review of custom WP Maps integrations for additional sanitization gaps
- Restrict WordPress administrative access to trusted IP ranges where feasible
Evidence notes
Vulnerability description sourced from NVD official record. CVSS vector and CWE classification from NVD source item metadata. WPScan reference link provided as primary technical source. Vendor identification marked as low confidence with review flag due to 'Unknown Vendor' classification in source data.
Official resources
-
CVE-2026-6381 CVE record
CVE.org
-
CVE-2026-6381 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-18T07:16:12.710Z