Tech Insights 28 January 2026 7 min read

WP Go Maps Plugin Vulnerability Exposes 300,000 WordPress Sites: Update Now

A missing authorisation vulnerability in WP Go Maps (CVE-2026-0593) affects 300,000+ WordPress sites. The flaw allows unauthenticated attackers to modify map data. Update to version 10.0.05 immediately.

MM
Mark McNeece Founder, 365i
Digital map with red warning indicators showing security vulnerability, representing the WP Go Maps plugin flaw affecting WordPress sites
At a Glance 7 min read
  • CVE-2026-0593 is a missing authorisation flaw in WP Go Maps (CVSS 5.3) that lets unauthenticated attackers modify map data on over 300,000 WordPress sites.
  • The vulnerability requires no login credentials and no user interaction to exploit, affecting all versions up to and including 10.0.04.
  • WP Go Maps has accumulated 11 documented vulnerabilities across 2024-2025, indicating systemic security issues in its codebase.
  • Site owners should update to version 10.0.05 immediately and verify that map markers and addresses have not been tampered with.

A security vulnerability in WP Go Maps, one of the most popular mapping plugins for WordPress with over 300,000 active installations, allows unauthenticated attackers to modify map data without any login credentials. The flaw, tracked as CVE-2026-0593, was disclosed on 24 January 2026 and carries a CVSS score of 5.3 (Medium severity).

According to the National Vulnerability Database (NVD), the vulnerability exists due to a missing capability check in versions up to and including 10.0.04. Site owners running the plugin must update to version 10.0.05 immediately.

This is not an isolated incident for WP Go Maps, formerly known as WP Google Maps. The plugin has accumulated four documented vulnerabilities in 2025 and seven in 2024, raising questions about its long-term security posture.

What Happened

WP Go Maps is a WordPress plugin that enables site owners to embed Google Maps or OpenLayers maps on their websites. It's widely used by businesses displaying store locations, service areas, and event venues. The plugin has been downloaded millions of times and maintains over 300,000 active installations.

The vulnerability was discovered and reported through the Wordfence bug bounty programme. Wordfence's security advisory classifies the flaw as a Missing Authorization vulnerability (CWE-862).

"The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on a function in all versions up to, and including, 10.0.04."

- Wordfence Threat Intelligence

In practical terms, this means anyone, without logging into your WordPress site, can potentially modify your map configurations. For businesses relying on accurate location data to drive customers to their premises, this is a serious concern.

Split-screen comparison showing a secure WordPress map with legitimate green location pins versus a compromised map with tampered data showing phishing links and malware sites
Left: A legitimate business map with accurate store locations. Right: The same map after attackers exploit CVE-2026-0593 to inject malicious markers and redirect customers to fake sites.

Severity Assessment

The vulnerability carries a CVSS 3.1 base score of 5.3, classified as Medium severity. While this is not as critical as the recent Modular DS CVSS 10.0 flaw, it still represents a real risk:

CVE-2026-0593 CVSS Vector Breakdown
Metric Value Meaning
Attack Vector Network Exploitable remotely over the internet
Attack Complexity Low No special conditions required
Privileges Required None No authentication needed
User Interaction None No user action required
Impact Integrity (Low) Data modification possible

The "None" value for privileges and user interaction is concerning. Attackers don't need any access or victim cooperation to exploit this flaw. The saving grace is that the impact is limited to data modification rather than complete system compromise.

WP Go Maps Security History

What makes this vulnerability particularly noteworthy is the pattern it represents. WP Go Maps has had a troubled security history:

2025 Vulnerabilities (4 total)

  • January 2025: Stored XSS vulnerability
  • March 2025: SQL Injection flaw
  • August 2025: Authenticated file upload issue
  • November 2025: CSRF vulnerability

2024 Vulnerabilities (7 total)

The plugin accumulated seven separate security advisories throughout 2024, including multiple cross-site scripting (XSS) and SQL injection vulnerabilities.

This history suggests systemic security issues in the plugin's codebase. Site owners should consider whether the plugin's functionality justifies the ongoing security maintenance burden, or whether alternative mapping solutions might offer better long-term security. For a broader look at WordPress vulnerabilities over the years, 365i Hosting's roundup of critical WordPress security vulnerabilities in 2025 provides useful context.

What You Need to Do

If you use WP Go Maps (or WP Google Maps, its former name), take these steps:

WordPress security update infographic showing the automated update process from vulnerable version 10.0.04 to secure version 10.0.05 with protective shield
Updating from version 10.0.04 to 10.0.05 patches the vulnerability. Enable automatic updates to receive future security fixes immediately.

1. Update to Version 10.0.05 Immediately

Log into your WordPress admin panel, navigate to Plugins → Installed Plugins, find WP Go Maps, and update to the latest version. If automatic updates are disabled, enable them for security patches.

2. Verify Your Map Data

Check that your map markers, locations, and configurations haven't been tampered with. Look for any unusual entries or modified addresses that could misdirect customers.

3. Review Your Plugin Inventory

This is a good opportunity to audit all your WordPress plugins. Remove any you don't actively use, and ensure the rest are updated to their latest versions.

4. Consider Your Options

Given the plugin's security track record, evaluate whether you actually need a dedicated mapping plugin. Many businesses can achieve adequate map embedding using:

  • Native Google Maps embed codes (no plugin required)
  • The WordPress core Embed block
  • Alternative mapping plugins with better security histories

Context Matters

To be clear: a CVSS 5.3 Medium severity vulnerability is not a "drop everything" emergency like the Microsoft Office zero-day we covered earlier today. However, it does require prompt attention for several reasons:

First, 300,000 installations represents a massive attack surface. Automated scanners will probe for this vulnerability across every WordPress install. Second, the "no authentication required" aspect makes it trivially exploitable. Third, the plugin's history suggests this won't be the last vulnerability discovered. And the scanning tools themselves are getting smarter: Google's GTIG has confirmed that state-sponsored groups now use AI to generate attack payloads in real time.

"Missing authorization vulnerabilities are particularly dangerous because they often represent fundamental flaws in how a plugin checks user permissions. These issues tend to recur unless the underlying architecture is redesigned."

- WordPress Security Best Practices, WordPress Plugin Developer Handbook

Timeline

CVE-2026-0593 Disclosure Timeline
Date Event
24 January 2026 Vulnerability disclosed via Wordfence
24 January 2026 CVE-2026-0593 assigned
24 January 2026 Version 10.0.05 released with fix
24 January 2026 NVD publishes advisory

Frequently Asked Questions

How do I check if my site is affected?

In your WordPress admin, go to Plugins → Installed Plugins and look for "WP Go Maps" or "WP Google Maps". If you have version 10.0.04 or earlier installed, your site is vulnerable. Update to 10.0.05 or later immediately.

What does CVSS 5.3 Medium severity mean?

CVSS (Common Vulnerability Scoring System) rates vulnerabilities from 0 to 10. A score of 5.3 is classified as Medium severity, serious enough to require prompt patching but not the "drop everything" emergency that Critical (9.0+) vulnerabilities demand. Medium vulnerabilities should typically be patched within 30 days, though sooner is always better.

What can attackers actually do with this vulnerability?

Attackers can modify map data without logging in. This could include changing business addresses, adding malicious markers, or modifying map configurations. They cannot gain admin access or compromise other parts of your site through this specific vulnerability.

What if I'm not using WP Go Maps?

If you don't have WP Go Maps or WP Google Maps installed, this vulnerability doesn't affect you. However, this is a good reminder to audit your installed plugins and ensure everything is updated.

Should I stop using WP Go Maps given its security history?

That's a judgement call based on your needs. The plugin has had 11 documented vulnerabilities across 2024-2025, which is concerning. If you only need basic map functionality, consider using Google Maps embed codes directly without a plugin. If you need advanced features, weigh the functionality against the security maintenance burden.

Should I enable automatic updates for this plugin?

Given the plugin's history of security issues, enabling automatic updates is advisable. In WordPress, go to Plugins → Installed Plugins, find WP Go Maps, and click "Enable auto-updates". This ensures you receive security patches as soon as they're released.

What are the alternatives to WP Go Maps?

For basic maps, you can use Google Maps embed codes directly (no plugin needed) or the WordPress Embed block. For more features, alternatives include Maps Widget for Google Maps, MapPress Maps, or Jetrack Maps. Research each option's security history before installing.

Need Help With WordPress Security?

Managed WordPress hosting with 365i includes automatic security updates, plugin monitoring, and proactive vulnerability patching. We handle the security maintenance so you can focus on your business.

Get Protected

Learn about our WordPress security services

Tags:
WordPress Security CVE-2026-0593 Plugin Vulnerability WordPress Security Update WP Go Maps WP Google Maps Wordfence
Continue Reading

More Articles

Sean Hamilton: The Full Lockerfella Interview
Web Design 30 Apr 2026

Sean Hamilton: The Full Lockerfella Interview

The unedited post-launch conversation between Mark McNeece and Sean Hamilton about the Lockerfella build. Trust, area pages, AI Discovery Files, prices, and the locksmith version of mission control. The primary source behind the case study.

18 min read Read
He Asked for a Proper Locksmith Website. He Got Mission Control.
Web Design 30 Apr 2026

He Asked for a Proper Locksmith Website. He Got Mission Control.

Sean Hamilton wanted a website that "looked proper". He didn't ask for schema, AI Discovery Files, or 18 unique area pages. He didn't need to. Inside the Lockerfella build, the case study that turned a one-line brief into a 100/100/100/100 PageSpeed locksmith site cited in AI search within ten days of launch.

11 min read Read
Google's March 2026 Core Update Hits AI Content Hard. Here's Where the Line Is.
SEO 28 Mar 2026

Google's March 2026 Core Update Hits AI Content Hard. Here's Where the Line Is.

Google rolled out its first core update of 2026 yesterday, the third algorithm change in four days. More than half of monitored sites are seeing ranking shifts. The update targets scaled AI content but rewards AI-assisted pages built on original expertise. Here's the five-minute audit that tells you which side of the line your content is on.

9 min read Read