CVE-2019-10692 — AI Deep Analysis Summary

🚨 **Essence**: SQL Injection in `wp-google-maps` plugin. <br>💥 **Consequences**: Attackers can steal sensitive DB data, modify records, or run unauthorized admin commands. It’s a classic input validation failure.

🛡️ **Root Cause**: CWE-89 (SQL Injection). <br>🔍 **Flaw**: The file `includes/class.rest-api.php` fails to sanitize **field names** before using them in a `SELECT` statement. Dirty input = Dirty SQL.

📦 **Affected**: WordPress sites using `wp-google-maps`. <br>📉 **Version**: Any version **before 7.11.18**. <br>🔧 **Component**: The REST API integration class.

🕵️ **Attacker Actions**: <br>1. Extract sensitive info from the database. <br>2. Modify existing data. <br>3. Execute unauthorized admin operations. <br>🔓 **Privileges**: Context of the affected site (often high impact).

⚡ **Threshold**: Medium/Low. <br>🔑 **Auth**: Requires access to the REST API endpoint. <br>⚙️ **Config**: Plugin must be active and unpatched. No complex setup needed, just a vulnerable endpoint.

🔥 **Exploitation**: YES. <br>📜 **PoC**: Available via Nuclei templates and PacketStorm. <br>🌐 **Wild Exploit**: Rapid7 module exists (`auxiliary/admin/http/wp_google_maps_sqli`). It’s weaponized.

🔍 **Self-Check**: <br>1. Scan for `wp-google-maps` plugin. <br>2. Check version number (< 7.11.18). <br>3. Use Nuclei template `CVE-2019-10692.yaml` for automated detection. <br>4. Look for unsanitized REST API calls.

✅ **Fixed**: YES. <br>🩹 **Patch**: Update `wp-google-maps` to **version 7.11.18 or later**. <br>📢 **Source**: WordPress plugin repository and vendor changelog.

🚧 **No Patch?**: <br>1. **Disable** the plugin immediately if not needed. <br>2. **Restrict** access to `/wp-json/` endpoints via WAF. <br>3. **Monitor** logs for SQL injection patterns in REST API traffic.

🚨 **Urgency**: HIGH. <br>📅 **Priority**: Patch ASAP. <br>💡 **Why**: Public exploits exist, it affects data integrity, and it’s an old vulnerability (2019) that many legacy sites still run. Don’t wait!