CVE-2026-8907 describes a CSRF vulnerability in the WP-Ultimate-Map WordPress plugin (up to version 1.1). The plugin's process_init() function, hooked to admin_init, saves settings based solely on the presence of a POST parameter without nonce validation, allowing unauthorized requests to modify plugin options. Furthermore, the plugin stores certain settings, such as zoom-level, without sanitization and later outputs them into HTML attributes and inline JavaScript without escaping, which can lead to stored cross-site scripting (XSS) when an administrator views the settings page. This combination enables an attacker to perform unauthorized configuration changes and inject arbitrary scripts via a forged request that requires administrator interaction.

An attacker can exploit this vulnerability to change plugin settings without authentication by tricking an administrator into submitting a malicious request. The unsanitized and unescaped stored values can lead to script injection on the settings page, potentially allowing execution of arbitrary JavaScript in the context of the administrator's browser. This can result in limited confidentiality and integrity impacts, such as session hijacking or further attacks against the administrator's session. Availability is not affected. The CVSS score of 6.1 reflects these impacts with network attack vector, no privileges required, user interaction needed, and partial confidentiality and integrity impact.

No official patch or remediation guidance is currently available from the vendor. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, administrators should avoid clicking on untrusted links or performing actions that could trigger the plugin's settings save functionality. Monitoring for suspicious activity and restricting administrative access may help reduce risk.