Unauthenticated SQL injection in WP Maps via orderby parameter

TL;DR — WP Maps for WordPress has an unauthenticated time-based SQL injection in an orderby parameter that can be abused to extract sensitive database data remotely.

What happened

WP Maps – Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory & Filters is a WordPress plugin that adds mapping and store-locator functionality to WordPress sites.

Wordfence published a vulnerability write-up for CVE-2026-2580, describing a time-based SQL injection issue where the plugin’s orderby parameter is insufficiently escaped and the query is not sufficiently prepared. According to Wordfence, this enables unauthenticated attackers to append additional SQL queries to existing queries and extract sensitive data from the WordPress database.

This is operationally important for platform teams because unauthenticated SQLi in WordPress plugins is a repeatable, automation-friendly attack class: if the impacted parameter is reachable from the public site surface, it can become an at-scale data-exfiltration and credential-harvesting pathway.

Who is impacted

• WordPress sites running the WP Maps plugin (software slug: wp-google-map-plugin).
• Versions up to and including 4.9.1.

What to do now

• Follow vendor remediation guidance from Wordfence:

  "Update to version 4.9.2, or a newer patched version"

• Inventory where the plugin is deployed (production, staging, customer-managed installs) and confirm deployed versions.
• Treat this as a potential data-exposure risk: prioritize reviewing access logs and WAF telemetry for suspicious requests targeting plugin endpoints/parameters consistent with time-based SQLi probing (e.g., repeated requests with anomalous latency).
• If you suspect exploitation, rotate credentials stored in the WordPress database that would materially increase blast radius if disclosed (API keys, integration tokens, SMTP creds, etc.).