Share
## https://sploitus.com/exploit?id=784377CB-53C9-5014-8473-DBA4A5E81E52
#  WP Maps Exploit - Time-Based Blind SQL Injection (CVE-2026-3222)

[![Python Version](https://img.shields.io/badge/python-3.6%2B-blue)](https://www.python.org/)
[![License](https://img.shields.io/badge/license-MIT-green)](LICENSE)
[![Vulnerability](https://img.shields.io/badge/CVE-2026--3222-red)](https://vulners.com/cve/CVE-2026-3222)
[![CVSS Score](https://img.shields.io/badge/CVSS-7.5%20(HIGH)-orange)](https://nvd.nist.gov/vuln/detail/CVE-2026-3222)

A proof-of-concept exploit for the SQL Injection vulnerability in WP Maps plugin versions ≤ 4.9.1. This tool demonstrates how unauthenticated attackers can extract sensitive information from the WordPress database.

##  About the Vulnerability

| Detail | Information |
|---------|------------|
| **CVE ID** | CVE-2026-3222 |
| **CVSS Score** | 7.5 (HIGH) |
| **Attack Vector** | Network (AV:N) |
| **Complexity** | Low (AC:L) |
| **Authentication** | None required (PR:N) |
| **Impact** | Confidentiality (HIGH) |

###  Technical Description

The WP Maps plugin (versions ≤ 4.9.1) contains a **time-based blind SQL Injection** vulnerability due to:

1. The AJAX handler `wpgmp_ajax_call` is registered for **unauthenticated users** via `wp_ajax_nopriv`
2. It allows calling arbitrary class methods, including `wpgmp_return_final_capability`
3. The `location_id` parameter is passed **unsanitized** to the database query
4. The database abstraction layer treats user input wrapped in backticks as column names, **bypassing `esc_sql()` escaping**

###  Affected Versions

- **Vulnerable**: WP Maps ≤ 4.9.1
- **Patched**: WP Maps ≥ 4.9.2

##  Exploit Features

| Feature | Description |
|---------|-------------|
|  **Automatic Detection** | Checks if target is vulnerable with time-based test |
|  **Extract DB Version** | Gets database version (MySQL, MariaDB) |
|  **Extract DB User** | Discovers database user |
|  **Extract DB Name** | Gets current database name |
|  **Extract Tables** | Lists all database tables |
|  **Extract WP Users** | Gets usernames and password hashes |
|  **Multi-threading** | Efficient data extraction |
|  **Windows Fixed** | Works on Windows, Linux and Mac |

##  Installation

### Prerequisites

- Python 3.6 or higher
- pip (Python package manager)

### Installation Steps

1. **Clone the repository**
```bash
git clone https://github.com/your-username/wp-maps-exploit.git
cd wp-maps-exploit