CVE-2026-8386

WP Go Maps < 10.0.10 - Unauthenticated Sensitive Information Disclosure via Marker ID

CVSS 5.3 MEDIUMEPSS 0.2%

The WP Go Maps WordPress plugin before 10.0.10 does not perform any approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to retrieve marker records that an administrator has not yet approved for public display, including any PII placed in the address and description fields and the marker's geographic coordinates.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected products

Unknown · WP Go Maps

public PoCs found — 1

cve_referencewpscan.com/vulnerability/fa7f5cb0-abe2-4079-9290-e0e4dc89f27f/unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://wpscan.com/vulnerability/fa7f5cb0-abe2-4079-9290-e0e4dc89f27f/