CVE-2026-2580 (CVSS 7.5, High) is an unauthenticated time-based SQL injection in the WP Maps plugin for WordPress affecting all versions through 4.9.1, exploitable via the ‘orderby’ parameter without credentials to extract the full WordPress database including user credentials and application secrets. Exploitation activity is currently low per EPSS (21st percentile) but requires no prior access. Update the plugin immediately to a patched version beyond 4.9.1; if no patched version is available, disable and remove the plugin and apply WAF rules targeting SQL injection patterns on plugin endpoints.