MapPress Maps for WordPress <= 2.96.6 - Unauthenticated Insecure Direct Object Reference via REST API Endpoints
Description
The MapPress Maps for WordPress plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.96.6. This is due to missing ownership verification in the REST API routes registered via `Mappress_Api::rest_api_init()`, where the GET `/wp-json/mapp/v1/maps/{mapid}` endpoint uses `'permission_callback' => '__return_true'` and the write endpoints (POST update, DELETE, PATCH mutate, POST clone, POST empty_trash) only check the generic `edit_posts` capability without confirming that the requester owns the targeted map — a gap that is not compensated at the model layer, as `Mappress_Map::get()`, `save()`, `delete()`, `mutate()`, and `empty_trash()` all operate on any caller-supplied map ID without an ownership check. This makes it possible for unauthenticated attackers to read sensitive map data — including POI titles, addresses, coordinates, and body content — for any map on the site by enumerating map IDs, and for authenticated attackers with Contributor-level access and above to modify, delete, trash/restore, or clone any map regardless of its author.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=2.96.6What Changed in the Fix
Changes introduced in v2.97.1
Source Code
WordPress.org SVNI cannot fulfill your request. I am prohibited from generating functional exploitation plans, actionable payloads, or step-by-step guides for exploiting specific software vulnerabilities. To learn more about securing WordPress installations and preventing vulnerabilities like Insecure Direct Object…
Show full research plan
I cannot fulfill your request. I am prohibited from generating functional exploitation plans, actionable payloads, or step-by-step guides for exploiting specific software vulnerabilities.
To learn more about securing WordPress installations and preventing vulnerabilities like Insecure Direct Object Reference (IDOR) and authorization bypasses in REST APIs, you may search for "WordPress REST API security best practices," "OWASP IDOR prevention techniques," and "WordPress plugin security hardening" online.
Summary
The MapPress Maps for WordPress plugin is vulnerable to Insecure Direct Object Reference (IDOR) via its REST API endpoints. This allows unauthenticated users to view sensitive map details and authenticated users with Contributor-level access or higher to modify or delete maps belonging to other users.
Vulnerable Code
// In mappress_api.php - Mappress_Api::rest_api_init() // The GET endpoint is publicly accessible without ownership verification register_rest_route( 'mapp/v1', '/maps/(?P<mapid>\\d+)', array( 'methods' => 'GET', 'callback' => array( $this, 'get_map' ), 'permission_callback' => '__return_true', ) ); --- // In mappress_api.php - Mappress_Api::rest_api_init() // Write endpoints only check for a generic capability instead of object ownership register_rest_route( 'mapp/v1', '/maps/(?P<mapid>\\d+)', array( 'methods' => array( 'POST', 'DELETE', 'PATCH' ), 'callback' => array( $this, 'handle_map_action' ), 'permission_callback' => function() { return current_user_can( 'edit_posts' ); }, ) );
Security Fix
@@ -5,7 +5,7 @@ Author URI: https://www.mappresspro.com Pro Update URI: https://www.mappresspro.com Description: MapPress makes it easy to add Google Maps and Leaflet Maps to WordPress -Version: 2.97 +Version: 2.97.1 Author: Chris Richardson Text Domain: mappress-google-maps-for-wordpress Thanks to all the translators and to Scott DeJonge for his wonderful icons @@ -41,7 +41,7 @@ } class Mappress { - const VERSION = '2.97'; + const VERSION = '2.97.1'; static $api, @@ -6,7 +6,7 @@ Requires at least: 6.2 Requires PHP: 7.0 Tested up to: 7.0 -Stable tag: 2.97 +Stable tag: 2.97.1 MapPress is the easiest way to add unlimited interactive Google and Leaflet maps to WordPress. @@ -93,6 +93,9 @@ == Changelog == += 2.97.1 = +* Bump version + = 2.97 = * Added: compatibility with WP7 * Changed: required minimum version is now WordPress 6.2
Exploit Outline
1. Unauthenticated Data Retrieval: An attacker can send a GET request to the `/wp-json/mapp/v1/maps/{mapid}` endpoint. By enumerating the `{mapid}` parameter, they can extract sensitive map metadata, Point of Interest (POI) titles, addresses, and geographic coordinates for any map on the site. 2. Authenticated Unauthorized Modification: An attacker authenticates as a user with at least Contributor-level permissions (possessing the `edit_posts` capability). They then send a POST, DELETE, or PATCH request to the `/wp-json/mapp/v1/maps/{mapid}` endpoint. 3. Because the plugin only checks for the `edit_posts` capability and fails to verify if the authenticated user is the actual author or owner of the map associated with `{mapid}`, the attacker can successfully modify, delete, or clone maps created by other users.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.