Platform
wordpress
Component
wp-google-map-plugin
Fixed in
4.8.7
CVE-2025-12062 describes a Local File Inclusion (LFI) vulnerability discovered in the WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress. This vulnerability allows authenticated attackers, even with Subscriber-level access, to include and execute arbitrary HTML files on the server, potentially leading to code execution. The vulnerability impacts versions 0.0.0 through 4.8.6, and a fix is available in version 4.8.7.
The impact of this LFI vulnerability is significant. An attacker, possessing only Subscriber-level access, can leverage this flaw to include and execute arbitrary HTML files. If the server configuration allows for the upload of HTML files, this can be exploited to inject malicious PHP code. Successful exploitation could lead to complete compromise of the WordPress site, including data breaches, unauthorized modifications, and the execution of arbitrary commands on the server. The ability to bypass access controls and execute code within the WordPress environment represents a serious security risk.
CVE-2025-12062 has been publicly disclosed. While no active exploitation campaigns have been confirmed, the availability of a proof-of-concept could lead to opportunistic attacks. The vulnerability's ease of exploitation, requiring only Subscriber-level access, increases the likelihood of it being targeted. It was published on 2026-02-16.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-12062 is to immediately upgrade the WP Maps plugin to version 4.8.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting file upload permissions to prevent attackers from uploading malicious HTML files. Implement strict input validation and sanitization to prevent the inclusion of unexpected files. Web Application Firewalls (WAFs) configured to detect and block attempts to include arbitrary files can also provide a layer of protection. Regularly review WordPress plugin installations and remove any unused or outdated plugins.
Update to version 4.8.7, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-12062 is a Local File Inclusion vulnerability in the WP Maps plugin for WordPress, allowing authenticated attackers to include and execute arbitrary HTML files.
You are affected if you are using WP Maps plugin versions 0.0.0 through 4.8.6. Upgrade to 4.8.7 or later to mitigate the risk.
Upgrade the WP Maps plugin to version 4.8.7 or later. If immediate upgrade is not possible, restrict file upload permissions and implement strict input validation.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation increases the risk of opportunistic attacks.
Refer to the official WP Maps plugin website or WordPress security announcements for the latest advisory and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.