CVE-2025-12062: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in flippercode WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters
CVE-2025-12062 is a high-severity path traversal vulnerability in the WP Maps – Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory & Filters WordPress plugin. It affects all versions up to and including 4. 8. 6. Authenticated attackers with Subscriber-level access or higher can exploit this flaw via the fc_load_template function to include arbitrary . html files on the server. If an attacker can upload . html files containing PHP code, they can achieve remote code execution, bypass access controls, and access sensitive data. The vulnerability requires no user interaction beyond authentication and has a CVSS score of 8. 8.
AI Analysis
Technical Summary
CVE-2025-12062 is a path traversal vulnerability classified under CWE-22 found in the WP Maps – Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory & Filters plugin for WordPress. The vulnerability exists in the fc_load_template function, which improperly limits the pathname to a restricted directory, allowing an authenticated user with Subscriber-level privileges or higher to include arbitrary .html files from the server. This inclusion can lead to local file inclusion (LFI) attacks. If the attacker can upload .html files containing embedded PHP code, the server may execute this code, resulting in remote code execution (RCE). This flaw enables attackers to bypass access controls, extract sensitive information, and potentially take full control of the affected WordPress site. The vulnerability affects all versions up to 4.8.6, with no patches currently available. The CVSS 3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and only requiring low privileges and no user interaction. Although no known exploits are publicly reported, the vulnerability is critical due to the widespread use of the plugin and WordPress in general.
Potential Impact
For European organizations, this vulnerability poses a significant risk, particularly for those relying on WordPress sites with the affected plugin installed. Attackers with minimal privileges can escalate their access to execute arbitrary code, potentially leading to full site compromise, data breaches, defacement, or use of the site as a pivot point for further attacks within the network. This can disrupt business operations, damage reputation, and lead to regulatory non-compliance under GDPR due to unauthorized data access or leakage. Organizations in sectors such as e-commerce, government, education, and media, which commonly use WordPress, are especially vulnerable. The ease of exploitation combined with the potential for severe impact on confidentiality, integrity, and availability makes this a critical threat to European digital infrastructure.
Mitigation Recommendations
Immediate mitigation steps include restricting file upload capabilities for Subscriber-level users and below, especially blocking .html file uploads or any file types that could contain executable code. Organizations should audit their WordPress installations to identify the presence of the vulnerable plugin and upgrade to a patched version once available. In the absence of a patch, applying virtual patching via Web Application Firewalls (WAFs) to block suspicious requests targeting the fc_load_template function or path traversal patterns is recommended. Additionally, implementing strict file permission policies on the server to prevent execution of uploaded files and monitoring logs for unusual file inclusion attempts can reduce risk. Regularly reviewing user roles and minimizing privileges to the least necessary will also limit exploitation potential. Backup strategies should be enhanced to enable rapid recovery in case of compromise.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden, Belgium, Austria
CVE-2025-12062: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in flippercode WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters
Description
CVE-2025-12062 is a high-severity path traversal vulnerability in the WP Maps – Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory & Filters WordPress plugin. It affects all versions up to and including 4. 8. 6. Authenticated attackers with Subscriber-level access or higher can exploit this flaw via the fc_load_template function to include arbitrary . html files on the server. If an attacker can upload . html files containing PHP code, they can achieve remote code execution, bypass access controls, and access sensitive data. The vulnerability requires no user interaction beyond authentication and has a CVSS score of 8. 8.
AI-Powered Analysis
Technical Analysis
CVE-2025-12062 is a path traversal vulnerability classified under CWE-22 found in the WP Maps – Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory & Filters plugin for WordPress. The vulnerability exists in the fc_load_template function, which improperly limits the pathname to a restricted directory, allowing an authenticated user with Subscriber-level privileges or higher to include arbitrary .html files from the server. This inclusion can lead to local file inclusion (LFI) attacks. If the attacker can upload .html files containing embedded PHP code, the server may execute this code, resulting in remote code execution (RCE). This flaw enables attackers to bypass access controls, extract sensitive information, and potentially take full control of the affected WordPress site. The vulnerability affects all versions up to 4.8.6, with no patches currently available. The CVSS 3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and only requiring low privileges and no user interaction. Although no known exploits are publicly reported, the vulnerability is critical due to the widespread use of the plugin and WordPress in general.
Potential Impact
For European organizations, this vulnerability poses a significant risk, particularly for those relying on WordPress sites with the affected plugin installed. Attackers with minimal privileges can escalate their access to execute arbitrary code, potentially leading to full site compromise, data breaches, defacement, or use of the site as a pivot point for further attacks within the network. This can disrupt business operations, damage reputation, and lead to regulatory non-compliance under GDPR due to unauthorized data access or leakage. Organizations in sectors such as e-commerce, government, education, and media, which commonly use WordPress, are especially vulnerable. The ease of exploitation combined with the potential for severe impact on confidentiality, integrity, and availability makes this a critical threat to European digital infrastructure.
Mitigation Recommendations
Immediate mitigation steps include restricting file upload capabilities for Subscriber-level users and below, especially blocking .html file uploads or any file types that could contain executable code. Organizations should audit their WordPress installations to identify the presence of the vulnerable plugin and upgrade to a patched version once available. In the absence of a patch, applying virtual patching via Web Application Firewalls (WAFs) to block suspicious requests targeting the fc_load_template function or path traversal patterns is recommended. Additionally, implementing strict file permission policies on the server to prevent execution of uploaded files and monitoring logs for unusual file inclusion attempts can reduce risk. Regularly reviewing user roles and minimizing privileges to the least necessary will also limit exploitation potential. Backup strategies should be enhanced to enable rapid recovery in case of compromise.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-10-22T12:09:20.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6993abded1735ca731bdefea
Added to database: 2/16/2026, 11:44:30 PM
Last enriched: 2/16/2026, 11:58:46 PM
Last updated: 2/17/2026, 1:02:47 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2439: CWE-340 Generation of Predictable Numbers or Identifiers in BVA Concierge::Sessions
HighCVE-2025-15578: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in TEEJAY Maypole
HighCVE-2026-2001: CWE-862 Missing Authorization in wpxpo WowRevenue – Product Bundles & Bulk Discounts
HighCVE-2026-2567: Stack-based Buffer Overflow in Wavlink WL-NU516U1
HighCVE-2026-2566: Stack-based Buffer Overflow in Wavlink WL-NU516U1
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.