CVE-2026-2580
WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters <= 4.9.1 - Unauthenticated SQL Injection via 'orderby' ParameterThe WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 4.9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
We have discovered 14,320 live websites that are affected by CVE-2026-2580.
Affected Software
| Product |  WP Google Map Plugin |
| Category | Wordpress Plugins |
| Vulnerable Domains | 14,320 live websites (77% of WP Google Map Plugin install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 40 versions ( 95% of all versions) |
Common Weakness Enumeration
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')Details
- Published - Mar 22, 2026
- Updated - Apr 8, 2026
Credits
- Chiao-Lin Yu (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-2580 United States | 3,742 websites |
 Germany | 1,550 websites |
 Italy | 955 websites |
 France | 820 websites |
 GB | 726 websites |
 Spain | 479 websites |
 Poland | 472 websites |
 Netherlands | 426 websites |
 Canada | 319 websites |
 Australia | 282 websites |
Website Distribution by TLD
Number of websites using CVE-2026-2580| .com | 5,682 websites |
| .de | 912 websites |
| .it | 663 websites |
| .org | 630 websites |
| .co.uk | 421 websites |
| .nl | 402 websites |
| .pl | 349 websites |
| .fr | 325 websites |
| .net | 280 websites |
| .com.au | 266 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-2580
Top websites that are affected by CVE-2026-2580. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ************.com | United States | **,*** | |
| ***.be |  Belgium | **,*** | |
| *************.com | GB | ***,*** | |
| **.**.id |  Indonesia | ***,*** | |
| *******.*****.fr | France | ***,*** | |
| ***************.com | United States | ***,*** | |
| ****.es | Spain | ***,*** | |
| *******************.com | Australia | ***,*** | |
| ****************.se |  Sweden | ***,*** | |
| ******************.com | France | ***,*** |
FAQ
CVE-2026-2580 is Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in WP Google Map Plugin
A total of 14,320 websites have been identified as vulnerable to CVE-2026-2580, based on global website indexing conducted by WebTechSurvey.
The WP Google Map Plugin is affected by the CVE-2026-2580 vulnerability.
WP Google Map Plugin versions up to and including 4.9.1 are vulnerable to CVE-2026-2580.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8d954868-eff2-497d-84e7-cc42da8a4c6f?source=cve
- https://plugins.trac.wordpress.org/browser/wp-google-map-plugin/tags/4.9.1/core/class.tabular.php#L780
- https://plugins.trac.wordpress.org/browser/wp-google-map-plugin/tags/4.9.1/classes/wpgmp-helper.php#L127
- https://plugins.trac.wordpress.org/browser/wp-google-map-plugin/tags/4.9.1/wp-google-map-plugin.php#L77