CVE-2026-8385 | The WP Go Maps WordPress plugin before 10.0.10 does not pro… | CVSS 5.3 MEDIUM

Description

The WP Go Maps WordPress plugin before 10.0.10 does not properly enforce the marker approval filter on the admin-ajax fallback for its datatables route, allowing unauthenticated visitors to retrieve marker records that the site owner has not approved for public display, including their title, category, address and description fields.

Metadata

CVE ID: CVE-2026-8385
State: PUBLISHED
Assigner: WPScan
Reserved: 2026-05-12 11:14 UTC
Published: 2026-06-15 06:00 UTC
Last updated: 2026-06-15 12:37 UTC
Primary CWE: CWE-200
CWE-200 Exposure of Sensitive Information to an Unauthorized…
Vendor / Product: Unknown / WP Go Maps
Sources: cve.org · NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Unknown	WP Go Maps	—	0 < 10.0.10

Weakness (CWE)

CWE	Source	Description
—	cna	CWE-200 Information Exposure
CWE-200	adp	CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.3	MEDIUM	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (1)

https://wpscan.com/vulnerability/984cad38-6d01-4956-8bf1-29585258780b/