CVE-2026-3222 is a critical SQL Injection vulnerability identified in the WP Maps plugin for WordPress, which provides store locator and mapping functionalities integrating Google Maps, OpenStreetMap, Mapbox, and directory filters. The vulnerability exists in all plugin versions up to and including 4.9.1. It stems from the plugin's database abstraction layer method `FlipperCode_Model_Base::is_column()`, which incorrectly treats user input enclosed in backticks as column identifiers, thereby bypassing the `esc_sql()` function designed to sanitize SQL inputs. This improper neutralization of special elements (CWE-89) allows attackers to inject malicious SQL code via the 'location_id' parameter. Furthermore, the AJAX handler `wpgmp_ajax_call` is registered for unauthenticated users (`wp_ajax_nopriv`), enabling attackers without any credentials to invoke arbitrary class methods, including `wpgmp_return_final_capability`. This method directly uses the unsanitized 'location_id' GET parameter in database queries, facilitating time-based blind SQL Injection attacks. Exploiting this vulnerability, attackers can append additional SQL queries to extract sensitive information from the backend database, such as user data or configuration details. Although no known exploits have been reported in the wild yet, the vulnerability's characteristics make it highly exploitable remotely without authentication or user interaction. The CVSS v3.1 base score is 7.5, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact. The vulnerability affects a widely used WordPress plugin, increasing the potential attack surface for websites relying on it for location and directory services.

The primary impact of CVE-2026-3222 is unauthorized disclosure of sensitive database information due to SQL Injection exploitation. Attackers can remotely execute crafted SQL queries without authentication, potentially extracting user credentials, personal data, or other confidential information stored in the database. This can lead to data breaches, privacy violations, and compliance issues for affected organizations. Additionally, the exposure of internal database structure or configuration may facilitate further attacks, including privilege escalation or lateral movement within the compromised environment. Since the vulnerability does not directly affect data integrity or availability, the immediate risk is data confidentiality loss. However, the extracted information could be leveraged for subsequent attacks, increasing overall risk. Organizations running WordPress sites with this plugin, especially those handling sensitive customer or business data, face significant reputational and financial damage if exploited. The widespread use of WordPress globally amplifies the potential scale of impact, particularly for e-commerce, directory, and location-based service providers.

To mitigate CVE-2026-3222, organizations should immediately update the WP Maps plugin to a patched version once released by the vendor. Until a patch is available, the following specific measures are recommended: 1) Disable or restrict access to the vulnerable AJAX handler `wpgmp_ajax_call` for unauthenticated users by modifying plugin code or using web application firewall (WAF) rules to block requests containing the 'location_id' parameter or targeting this endpoint. 2) Implement strict input validation and sanitization at the web server or application firewall level to detect and block SQL Injection patterns targeting the 'location_id' parameter. 3) Employ least privilege principles for database accounts used by WordPress to limit the impact of any injection attempts. 4) Monitor web server and application logs for unusual or repeated requests to the AJAX handler or suspicious query patterns indicative of SQL Injection attempts. 5) Consider temporarily disabling the WP Maps plugin if it is not critical to business operations until a secure update is applied. 6) Conduct a thorough security review and database audit to detect any signs of compromise or data exfiltration. These targeted mitigations go beyond generic advice by focusing on the specific vulnerable components and attack vectors identified in this vulnerability.