Plattform
wordpress
Komponente
wp-google-map-plugin
Behoben in
4.8.7
CVE-2025-12062 describes a Local File Inclusion (LFI) vulnerability discovered in the WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress. This vulnerability allows authenticated attackers, even with Subscriber-level access, to include and execute arbitrary HTML files on the server, potentially leading to code execution. The vulnerability impacts versions 0.0.0 through 4.8.6, and a fix is available in version 4.8.7.
The impact of this LFI vulnerability is significant due to the potential for arbitrary code execution. An attacker, having Subscriber-level access, can upload malicious .html files containing PHP code. When these files are included via the fcloadtemplate function, the embedded PHP code will be executed on the server. This could allow an attacker to read sensitive configuration files, modify database entries, or even gain complete control over the WordPress instance. The ability to execute arbitrary code bypasses standard WordPress access controls, significantly expanding the attack surface. This vulnerability is particularly concerning given the plugin's popularity and widespread use in WordPress installations.
CVE-2025-12062 has been publicly disclosed and published on 2026-02-16. While no public exploits are currently known, the ease of exploitation inherent in LFI vulnerabilities suggests a high probability of exploitation if left unpatched. The vulnerability is not currently listed on the CISA KEV catalog. The attacker requires only Subscriber-level access, making a large number of WordPress installations potentially vulnerable.
Websites utilizing the WP Maps plugin, particularly those with a large number of users with Subscriber-level access, are at significant risk. Shared hosting environments where users have limited control over server configurations are also particularly vulnerable. Sites with outdated WordPress installations or inadequate security practices are also at increased risk.
• wordpress / composer / npm:
grep -r 'fc_load_template' /var/www/html/wp-content/plugins/wp-maps/• wordpress / composer / npm:
wp plugin list | grep "WP Maps"• wordpress / composer / npm:
wp plugin update wp-maps• wordpress / composer / npm:
wp plugin status wp-mapsdisclosure
Exploit-Status
EPSS
0.06% (18% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-12062 is to immediately upgrade the WP Maps plugin to version 4.8.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include restricting file upload permissions for the plugin's directory, implementing strict input validation on the fcloadtemplate function to prevent malicious file inclusions, and using a Web Application Firewall (WAF) to block requests containing suspicious file paths. Monitor WordPress logs for unusual file access patterns or attempts to include unexpected files. After upgrading, verify the fix by attempting to access a non-existent HTML file through the vulnerable endpoint and confirming that a 404 error is returned instead of the file's contents.
Aktualisieren Sie auf Version 4.8.7 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-12062 is a Local File Inclusion vulnerability in the WP Maps plugin for WordPress, allowing authenticated attackers to include and execute arbitrary HTML files.
You are affected if you are using WP Maps plugin versions 0.0.0 through 4.8.6. Upgrade to 4.8.7 or later to mitigate the risk.
Upgrade the WP Maps plugin to version 4.8.7 or later. If immediate upgrade is not possible, restrict file upload permissions and implement strict input validation.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation increases the risk of opportunistic attacks.
Refer to the official WP Maps plugin website or WordPress security announcements for the latest advisory and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.