How is CVE-2026-39492 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP/HTTPS to exploit it. Authentication (not-required): No account or session credentials are needed; the injection point is accessible to any anonymous HTTP request. Victim interaction (not-required): The attacker sends a crafted request directly to the server and does not need any user to click a link or take any action. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, timing windows, or environmental prerequisites.

What is the impact of CVE-2026-39492?

Reads arbitrary database contents including WordPress user records, password hashes, stored session tokens, and any plugin or site configuration data. Exposes sensitive application data that may include personally identifiable information, API keys, or private post content stored in the database. Causes limited disruption to service availability, consistent with the CVSS A:L impact token, which may manifest as degraded query performance or partial service interruption. Because the vulnerability has a changed scope (S:C), successful exploitation may affect database components or server-side processes beyond the WordPress application itself.

Back to search

CRITICALCVE-2026-39492Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-39492: WordPress WP Maps plugin <= 4.9.1 - SQL Injection vulnerability

Q: What is CVE-2026-39492?

An unauthenticated SQL injection vulnerability affects the WP Maps WordPress plugin at version 4.9.1 and below. The flaw is reachable over the network with no credentials required and no victim interaction needed, making it trivially accessible to any attacker who can reach the WordPress site. Successful exploitation gives the attacker read access to the underlying database and limited ability to disrupt service availability. No upstream fix has been published; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment one is released.

Q: Is CVE-2026-39492 patched?

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the vendor releases a remediated version. For customers who opt into auto-remediation, that rebuild will trigger a regression test run and open a pull request against affected workloads without manual intervention.

Unauthenticated SQL Injection in WP Maps <= 4.9.1 versions.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated SQL injection vulnerability affects the WP Maps WordPress plugin at version 4.9.1 and below. The flaw is reachable over the network with no credentials required and no victim interaction needed, making it trivially accessible to any attacker who can reach the WordPress site. Successful exploitation gives the attacker read access to the underlying database and limited ability to disrupt service availability. No upstream fix has been published; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment one is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the WP Maps plugin. Any image containing an affected version of the plugin is flagged immediately on the next scan cycle.

Available

Triage

HarborGuard scores this CVE at 9.3 CRITICAL using the provided CVSS v3.1 vector and is capable of weighting that score against each customer environment's own compliance policy to determine urgency and routing. Triage findings are routed to the appropriate team inbox within each customer organization based on their configured escalation rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the vendor releases a remediated version. For customers who opt into auto-remediation, that rebuild will trigger a regression test run and open a pull request against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP/HTTPS to exploit it.
AuthenticationNot required
No account or session credentials are needed; the injection point is accessible to any anonymous HTTP request.
Victim interactionNot required
The attacker sends a crafted request directly to the server and does not need any user to click a link or take any action.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, timing windows, or environmental prerequisites.

Blast Radius

Reads arbitrary database contents including WordPress user records, password hashes, stored session tokens, and any plugin or site configuration data.
Exposes sensitive application data that may include personally identifiable information, API keys, or private post content stored in the database.
Causes limited disruption to service availability, consistent with the CVSS A:L impact token, which may manifest as degraded query performance or partial service interruption.
Because the vulnerability has a changed scope (S:C), successful exploitation may affect database components or server-side processes beyond the WordPress application itself.

How HarborGuard Handles This

Available on HarborGuard: because no vendor patch exists for CVE-2026-39492, HarborGuard continuously re-evaluates the advisory on every ingest cycle and will surface a patched-image rebuild automatically once the upstream fix is published. For customers who opt into auto-remediation, that rebuild will immediately trigger a regression test run and open a pull request against affected workloads. In the interim, recommended compensating controls include placing the WordPress installation behind a web application firewall rule that blocks SQL metacharacter patterns in plugin request parameters, applying network-policy isolation to restrict which services can initiate outbound connections from the WordPress container, and disabling or removing the WP Maps plugin from the image entirely if map functionality is non-essential. Given the critical CVSS score of 9.3 and zero authentication requirement, treating this as a high-priority exposure until an upstream patch is available is warranted.

See how HarborGuard automates this

Affected packages

Flipper Code – WordPress Development Company / WP Maps
≤ 4.9.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified