CVE-2026-8907
Description
The WP-Ultimate-Map plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1. This is due to missing nonce validation on the process_init() function hooked to admin_init, which saves plugin settings (zoom-level, focus-lat, focus-lng, sel_places, sel_routes) via update_option() based solely on the presence of a save-setting POST parameter. Additionally, the saved values โ particularly zoom-level โ are stored without sanitization and later echoed into an HTML attribute (and inline JavaScript) on the settings page without escaping. This makes it possible for unauthenticated attackers to change plugin settings and inject arbitrary web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
References
- https://plugins.trac.wordpress.org/browser/wp-ultimate-map/tags/1.1/admin/class-admin.php#L21
- https://plugins.trac.wordpress.org/browser/wp-ultimate-map/tags/1.1/admin/class-admin.php#L24
- https://plugins.trac.wordpress.org/browser/wp-ultimate-map/tags/1.1/admin/class-admin.php#L63
- https://www.wordfence.com/threat-intel/vulnerabilities/id/334fb374-c84b-4fec-8653-f7ad6af1f631?source=cve
CWEs
CWE-352
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.