CVE-2026-3222 is a SQL Injection vulnerability in the WP Maps – Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory & Filters WordPress plugin. The issue exists because the plugin's database abstraction method `FlipperCode_Model_Base::is_column()` treats user input wrapped in backticks as column names, circumventing the `esc_sql()` escaping function. Additionally, the `wpgmp_ajax_call` AJAX handler, accessible to unauthenticated users, allows calling arbitrary class methods including `wpgmp_return_final_capability`, which uses the unsanitized 'location_id' GET parameter directly in SQL queries. This combination permits unauthenticated attackers to append SQL commands and extract sensitive data via time-based blind SQL Injection.

An unauthenticated attacker can exploit this vulnerability to perform time-based blind SQL Injection attacks against the plugin's database. This can lead to unauthorized disclosure of sensitive information stored in the database. The vulnerability does not allow modification or deletion of data (no integrity or availability impact indicated), but the confidentiality impact is high due to potential data leakage.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the vulnerable AJAX handler if possible and consider disabling the WP Maps plugin if it is not essential. Monitor for vendor updates and apply patches promptly once released.