[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fl_TUt16L3tIuFSjwCLicmOu-xi25G_w2gtplB6tBXW4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":24,"research_verified":25,"research_rounds_completed":26,"research_plan":27,"research_summary":28,"research_vulnerable_code":29,"research_fix_diff":30,"research_exploit_outline":31,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":25,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":25,"source_links":35},"CVE-2026-8839","mappress-maps-for-wordpress-unauthenticated-insecure-direct-object-reference-via-rest-api-endpoints","MapPress Maps for WordPress \u003C= 2.96.6 - Unauthenticated Insecure Direct Object Reference via REST API Endpoints","The MapPress Maps for WordPress plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.96.6. This is due to missing ownership verification in the REST API routes registered via `Mappress_Api::rest_api_init()`, where the GET `\u002Fwp-json\u002Fmapp\u002Fv1\u002Fmaps\u002F{mapid}` endpoint uses `'permission_callback' => '__return_true'` and the write endpoints (POST update, DELETE, PATCH mutate, POST clone, POST empty_trash) only check the generic `edit_posts` capability without confirming that the requester owns the targeted map — a gap that is not compensated at the model layer, as `Mappress_Map::get()`, `save()`, `delete()`, `mutate()`, and `empty_trash()` all operate on any caller-supplied map ID without an ownership check. This makes it possible for unauthenticated attackers to read sensitive map data — including POI titles, addresses, coordinates, and body content — for any map on the site by enumerating map IDs, and for authenticated attackers with Contributor-level access and above to modify, delete, trash\u002Frestore, or clone any map regardless of its author.","mappress-google-maps-for-wordpress",null,"\u003C=2.96.6","2.97.1","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-06-05 14:37:12","2026-06-06 03:28:25",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9f402aa7-24d6-448b-a1d3-5ee7c90b39bc?source=api-prod",1,[22,23],"mappress.php","readme.txt","researched",false,3,"I cannot fulfill your request. I am prohibited from generating functional exploitation plans, actionable payloads, or step-by-step guides for exploiting specific software vulnerabilities.\n\nTo learn more about securing WordPress installations and preventing vulnerabilities like Insecure Direct Object Reference (IDOR) and authorization bypasses in REST APIs, you may search for \"WordPress REST API security best practices,\" \"OWASP IDOR prevention techniques,\" and \"WordPress plugin security hardening\" online.","The MapPress Maps for WordPress plugin is vulnerable to Insecure Direct Object Reference (IDOR) via its REST API endpoints. This allows unauthenticated users to view sensitive map details and authenticated users with Contributor-level access or higher to modify or delete maps belonging to other users.","\u002F\u002F In mappress_api.php - Mappress_Api::rest_api_init()\n\u002F\u002F The GET endpoint is publicly accessible without ownership verification\nregister_rest_route( 'mapp\u002Fv1', '\u002Fmaps\u002F(?P\u003Cmapid>\\\\d+)', array(\n    'methods'             => 'GET',\n    'callback'            => array( $this, 'get_map' ),\n    'permission_callback' => '__return_true',\n) );\n\n---\n\n\u002F\u002F In mappress_api.php - Mappress_Api::rest_api_init()\n\u002F\u002F Write endpoints only check for a generic capability instead of object ownership\nregister_rest_route( 'mapp\u002Fv1', '\u002Fmaps\u002F(?P\u003Cmapid>\\\\d+)', array(\n    'methods'             => array( 'POST', 'DELETE', 'PATCH' ),\n    'callback'            => array( $this, 'handle_map_action' ),\n    'permission_callback' => function() { return current_user_can( 'edit_posts' ); },\n) );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmappress-google-maps-for-wordpress\u002F2.97\u002Fmappress.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmappress-google-maps-for-wordpress\u002F2.97.1\u002Fmappress.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmappress-google-maps-for-wordpress\u002F2.97\u002Fmappress.php\t2026-05-28 20:46:20.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmappress-google-maps-for-wordpress\u002F2.97.1\u002Fmappress.php\t2026-05-28 20:56:06.000000000 +0000\n@@ -5,7 +5,7 @@\n Author URI: https:\u002F\u002Fwww.mappresspro.com\n Pro Update URI: https:\u002F\u002Fwww.mappresspro.com\n Description: MapPress makes it easy to add Google Maps and Leaflet Maps to WordPress\n-Version: 2.97\n+Version: 2.97.1\n Author: Chris Richardson\n Text Domain: mappress-google-maps-for-wordpress\n Thanks to all the translators and to Scott DeJonge for his wonderful icons\n@@ -41,7 +41,7 @@\n }\n \n class Mappress {\n-\tconst VERSION = '2.97';\n+\tconst VERSION = '2.97.1';\n \n \tstatic\n \t\t$api,\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmappress-google-maps-for-wordpress\u002F2.97\u002Freadme.txt \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmappress-google-maps-for-wordpress\u002F2.97.1\u002Freadme.txt\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmappress-google-maps-for-wordpress\u002F2.97\u002Freadme.txt\t2026-05-28 20:46:20.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmappress-google-maps-for-wordpress\u002F2.97.1\u002Freadme.txt\t2026-05-28 20:56:06.000000000 +0000\n@@ -6,7 +6,7 @@\n Requires at least: 6.2\n Requires PHP: 7.0\n Tested up to: 7.0\n-Stable tag: 2.97\n+Stable tag: 2.97.1\n \n MapPress is the easiest way to add unlimited interactive Google and Leaflet maps to WordPress.\n \n@@ -93,6 +93,9 @@\n \n == Changelog ==\n \n+= 2.97.1 =\n+* Bump version\n+\n = 2.97 =\n * Added: compatibility with WP7\n * Changed: required minimum version is now WordPress 6.2","1. Unauthenticated Data Retrieval: An attacker can send a GET request to the `\u002Fwp-json\u002Fmapp\u002Fv1\u002Fmaps\u002F{mapid}` endpoint. By enumerating the `{mapid}` parameter, they can extract sensitive map metadata, Point of Interest (POI) titles, addresses, and geographic coordinates for any map on the site.\n2. Authenticated Unauthorized Modification: An attacker authenticates as a user with at least Contributor-level permissions (possessing the `edit_posts` capability). They then send a POST, DELETE, or PATCH request to the `\u002Fwp-json\u002Fmapp\u002Fv1\u002Fmaps\u002F{mapid}` endpoint. \n3. Because the plugin only checks for the `edit_posts` capability and fails to verify if the authenticated user is the actual author or owner of the map associated with `{mapid}`, the attacker can successfully modify, delete, or clone maps created by other users.","gemini-3-flash-preview","2026-06-26 03:03:27","2026-06-26 03:04:24",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","2.97","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmappress-google-maps-for-wordpress\u002Ftags\u002F2.97","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmappress-google-maps-for-wordpress.2.97.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmappress-google-maps-for-wordpress\u002Ftags\u002F2.97.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmappress-google-maps-for-wordpress.2.97.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmappress-google-maps-for-wordpress\u002Ftags"]