CVE-2025-12062 is a path traversal vulnerability categorized under CWE-22 found in the flippercode WP Maps – Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory & Filters WordPress plugin. The flaw exists in the fc_load_template function, which improperly restricts pathname inputs, allowing an authenticated attacker with Subscriber-level privileges or higher to perform Local File Inclusion (LFI). By exploiting this, attackers can include arbitrary .html files from the server filesystem. If these .html files contain embedded PHP code (possible through certain upload mechanisms), the attacker can achieve remote code execution (RCE). This vulnerability can be leveraged to bypass access controls, access sensitive files, or execute malicious code on the server. The vulnerability affects all versions up to and including 4.8.6 of the plugin. The CVSS v3.1 base score is 8.8, indicating a high severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality, integrity, and availability. Although no known exploits have been reported in the wild, the ease of exploitation and potential impact make this a critical issue for affected sites. The vulnerability is particularly dangerous because Subscriber-level access is commonly granted to registered users, increasing the attack surface. The plugin is widely used in WordPress sites for location and directory services, making many websites potentially vulnerable.

The impact of CVE-2025-12062 is significant for organizations using the affected WP Maps plugin. Successful exploitation can lead to remote code execution, allowing attackers to take full control of the web server hosting the WordPress site. This can result in data breaches, defacement, deployment of malware or ransomware, and lateral movement within the network. Confidential data stored on the server or accessible through the web application can be exposed or altered. The ability to bypass access controls means attackers can escalate privileges or access restricted areas of the site. The availability of the website or service can also be disrupted. Given the plugin’s role in providing store locator and mapping functionality, e-commerce and directory services relying on it may face operational disruptions and reputational damage. The requirement for only Subscriber-level access lowers the barrier for exploitation, increasing risk from insider threats or compromised user accounts.

To mitigate CVE-2025-12062, organizations should immediately update the WP Maps plugin to a patched version once available from the vendor. Until a patch is released, administrators should restrict plugin usage to trusted users only and consider disabling or removing the plugin if not essential. Implement strict file upload controls to prevent uploading of malicious .html or PHP files, including enforcing file type validation and scanning uploads for malicious content. Employ web application firewalls (WAFs) with rules to detect and block path traversal attempts targeting the fc_load_template function. Monitor logs for suspicious file inclusion attempts or unusual activity from Subscriber-level accounts. Limit Subscriber privileges where possible and enforce strong authentication and account monitoring to reduce the risk of compromised accounts. Regularly back up website data and configurations to enable recovery in case of compromise. Conduct security audits and penetration testing focusing on plugin vulnerabilities and file inclusion risks.