{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0593", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-04T20:08:57.465Z", "datePublished": "2026-01-24T16:25:51.700Z", "dateUpdated": "2026-04-08T17:03:17.605Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:17.605Z"}, "affected": [{"vendor": "wpgmaps", "product": "WP Go Maps (formerly WP Google Maps)", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "10.0.04", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the processBackgroundAction() function in all versions up to, and including, 10.0.04. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global map engine settings."}], "title": "WP Go Maps (formerly WP Google Maps) <= 10.0.04 - Missing Authorization to Authenticated (Subscriber+) Map Engine Setting Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f0741c1-a5d7-41a4-a739-2cb7cb836509?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3439283/wp-google-maps/trunk/includes/class.admin-notices.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Moose Love"}], "timeline": [{"time": "2026-01-04T20:25:57.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-24T04:04:19.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T17:37:33.266486Z", "id": "CVE-2026-0593", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T17:37:40.408Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0593", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T17:37:33.266486Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T17:37:36.823Z"}}], "cna": {"title": "WP Go Maps (formerly WP Google Maps) <= 10.0.04 - Missing Authorization to Authenticated (Subscriber+) Map Engine Setting Modification", "credits": [{"lang": "en", "type": "finder", "value": "Moose Love"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpgmaps", "product": "WP Go Maps (formerly WP Google Maps)", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "10.0.04"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-04T20:25:57.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-24T04:04:19.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f0741c1-a5d7-41a4-a739-2cb7cb836509?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3439283/wp-google-maps/trunk/includes/class.admin-notices.php"}], "descriptions": [{"lang": "en", "value": "The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the processBackgroundAction() function in all versions up to, and including, 10.0.04. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global map engine settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:17.605Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0593", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:03:17.605Z", "dateReserved": "2026-01-04T20:08:57.465Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-24T16:25:51.700Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the processBackgroundAction() function in all versions up to, and including, 10.0.04. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global map engine settings."}, {"lang": "es", "value": "El plugin WP Go Maps (anteriormente WP Google Maps) para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una comprobaci\u00f3n de capacidad faltante en la funci\u00f3n processBackgroundAction() en todas las versiones hasta la 10.0.04, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, modifiquen la configuraci\u00f3n global del motor de mapas."}], "id": "CVE-2026-0593", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-24T17:15:58.997", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3439283/wp-google-maps/trunk/includes/class.admin-notices.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f0741c1-a5d7-41a4-a739-2cb7cb836509?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T21:35:49.969886+00:00", "value": {"mitigation_remediation": ["Upgrade the WP Go Maps plugin to the latest available version that resolves the missing authorization check.", "Verify that users with the Subscriber role no longer possess capability to invoke processBackgroundAction() by reviewing role permissions or using a plugin like User Role Editor.", "If an immediate upgrade is not possible, restrict the Subscriber role\u2019s access to background action endpoints by adding custom capability checks or disabling relevant AJAX hooks via a code snippet."], "summary": {"action": "Apply Patch", "impact": "Unauthorized modification of global map engine settings by authenticated users with Subscriber or higher roles"}, "threat_synthesis": {"affected_systems": "WordPress sites utilizing the WP Go Maps plugin up to and including version\u00a010.0.04 are affected. Users with Subscriber or higher roles on such installations can trigger the background action and change map engine settings. No specific hardware or additional software requirements are noted beyond a typical WordPress environment running the vulnerable plugin.", "description_and_impact": "The vulnerability resides in the processBackgroundAction() function, where a capability check is omitted, allowing authenticated members with Subscriber-level access or higher to alter the global map engine settings of the WP Go Maps plugin. This change undermines the integrity of map configurations and could enable attackers to modify map behavior, data sources, or visual presentation. The weakness involves improper authorization (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a very low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, further reducing the current threat level. However, the attack vector requires only authenticated access with a moderate user role, which is typically common on public sites. An attacker could exploit the missing capability check by submitting a background action request, thereby changing configuration data that affects all users of the map feature. Because the flaw is not tied to user input or remote code execution, it does not entail immediate catastrophic impact but can subvert the intended behavior of the mapping component."}}}}, "created": "2026-01-26T11:48:13.378498+00:00", "updated": "2026-04-15T21:45:14.143691+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpgmaps", "wpgmaps$PRODUCT$wp_go_maps"]}