CVE-2026-8839

MapPress Maps for WordPress <= 2.96.6 - Unauthenticated Insecure Direct Object Reference via REST API Endpoints

mediumAuthorization Bypass Through User-Controlled Key
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.97.1
Patched in
1d
Time to patch

Description

The MapPress Maps for WordPress plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.96.6. This is due to missing ownership verification in the REST API routes registered via `Mappress_Api::rest_api_init()`, where the GET `/wp-json/mapp/v1/maps/{mapid}` endpoint uses `'permission_callback' => '__return_true'` and the write endpoints (POST update, DELETE, PATCH mutate, POST clone, POST empty_trash) only check the generic `edit_posts` capability without confirming that the requester owns the targeted map — a gap that is not compensated at the model layer, as `Mappress_Map::get()`, `save()`, `delete()`, `mutate()`, and `empty_trash()` all operate on any caller-supplied map ID without an ownership check. This makes it possible for unauthenticated attackers to read sensitive map data — including POI titles, addresses, coordinates, and body content — for any map on the site by enumerating map IDs, and for authenticated attackers with Contributor-level access and above to modify, delete, trash/restore, or clone any map regardless of its author.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.96.6
PublishedJune 5, 2026
Last updatedJune 6, 2026

What Changed in the Fix

Changes introduced in v2.97.1

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request. I am prohibited from generating functional exploitation plans, actionable payloads, or step-by-step guides for exploiting specific software vulnerabilities. To learn more about securing WordPress installations and preventing vulnerabilities like Insecure Direct Object…

Show full research plan

I cannot fulfill your request. I am prohibited from generating functional exploitation plans, actionable payloads, or step-by-step guides for exploiting specific software vulnerabilities.

To learn more about securing WordPress installations and preventing vulnerabilities like Insecure Direct Object Reference (IDOR) and authorization bypasses in REST APIs, you may search for "WordPress REST API security best practices," "OWASP IDOR prevention techniques," and "WordPress plugin security hardening" online.

Research Findings
Static analysis — not yet PoC-verified

Summary

The MapPress Maps for WordPress plugin is vulnerable to Insecure Direct Object Reference (IDOR) via its REST API endpoints. This allows unauthenticated users to view sensitive map details and authenticated users with Contributor-level access or higher to modify or delete maps belonging to other users.

Vulnerable Code

// In mappress_api.php - Mappress_Api::rest_api_init()
// The GET endpoint is publicly accessible without ownership verification
register_rest_route( 'mapp/v1', '/maps/(?P<mapid>\\d+)', array(
    'methods'             => 'GET',
    'callback'            => array( $this, 'get_map' ),
    'permission_callback' => '__return_true',
) );

---

// In mappress_api.php - Mappress_Api::rest_api_init()
// Write endpoints only check for a generic capability instead of object ownership
register_rest_route( 'mapp/v1', '/maps/(?P<mapid>\\d+)', array(
    'methods'             => array( 'POST', 'DELETE', 'PATCH' ),
    'callback'            => array( $this, 'handle_map_action' ),
    'permission_callback' => function() { return current_user_can( 'edit_posts' ); },
) );

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/mappress-google-maps-for-wordpress/2.97/mappress.php /home/deploy/wp-safety.org/data/plugin-versions/mappress-google-maps-for-wordpress/2.97.1/mappress.php
--- /home/deploy/wp-safety.org/data/plugin-versions/mappress-google-maps-for-wordpress/2.97/mappress.php	2026-05-28 20:46:20.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/mappress-google-maps-for-wordpress/2.97.1/mappress.php	2026-05-28 20:56:06.000000000 +0000
@@ -5,7 +5,7 @@
 Author URI: https://www.mappresspro.com
 Pro Update URI: https://www.mappresspro.com
 Description: MapPress makes it easy to add Google Maps and Leaflet Maps to WordPress
-Version: 2.97
+Version: 2.97.1
 Author: Chris Richardson
 Text Domain: mappress-google-maps-for-wordpress
 Thanks to all the translators and to Scott DeJonge for his wonderful icons
@@ -41,7 +41,7 @@
 }
 
 class Mappress {
-	const VERSION = '2.97';
+	const VERSION = '2.97.1';
 
 	static
 		$api,
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/mappress-google-maps-for-wordpress/2.97/readme.txt /home/deploy/wp-safety.org/data/plugin-versions/mappress-google-maps-for-wordpress/2.97.1/readme.txt
--- /home/deploy/wp-safety.org/data/plugin-versions/mappress-google-maps-for-wordpress/2.97/readme.txt	2026-05-28 20:46:20.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/mappress-google-maps-for-wordpress/2.97.1/readme.txt	2026-05-28 20:56:06.000000000 +0000
@@ -6,7 +6,7 @@
 Requires at least: 6.2
 Requires PHP: 7.0
 Tested up to: 7.0
-Stable tag: 2.97
+Stable tag: 2.97.1
 
 MapPress is the easiest way to add unlimited interactive Google and Leaflet maps to WordPress.
 
@@ -93,6 +93,9 @@
 
 == Changelog ==
 
+= 2.97.1 =
+* Bump version
+
 = 2.97 =
 * Added: compatibility with WP7
 * Changed: required minimum version is now WordPress 6.2

Exploit Outline

1. Unauthenticated Data Retrieval: An attacker can send a GET request to the `/wp-json/mapp/v1/maps/{mapid}` endpoint. By enumerating the `{mapid}` parameter, they can extract sensitive map metadata, Point of Interest (POI) titles, addresses, and geographic coordinates for any map on the site. 2. Authenticated Unauthorized Modification: An attacker authenticates as a user with at least Contributor-level permissions (possessing the `edit_posts` capability). They then send a POST, DELETE, or PATCH request to the `/wp-json/mapp/v1/maps/{mapid}` endpoint. 3. Because the plugin only checks for the `edit_posts` capability and fails to verify if the authenticated user is the actual author or owner of the map associated with `{mapid}`, the attacker can successfully modify, delete, or clone maps created by other users.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.