[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fVS7eeAkt-7AsFEf7A-JESM_xruJFN3cI2crhfqMy1bs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-56011","mappress-maps-for-wordpress-unauthenticated-stored-cross-site-scripting","MapPress Maps for WordPress \u003C= 2.97.3 - Unauthenticated Stored Cross-Site Scripting","The MapPress Maps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.97.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","mappress-google-maps-for-wordpress",null,"\u003C=2.97.3","2.97.4","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-06-19 00:00:00","2026-06-23 15:49:22",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fda8166f3-02d8-4519-a518-0f5e9e1b1ab3?source=api-prod",5,[22,23,24,25],"languages\u002Fmappress-google-maps-for-wordpress.pot","mappress.php","mappress_map.php","readme.txt","researched",false,3,"This research plan targets **CVE-2026-56011**, an unauthenticated stored Cross-Site Scripting (XSS) vulnerability in the MapPress Maps for WordPress plugin. The vulnerability stems from a lack of capability checks in AJAX handlers that allow unauthenticated users to save or update map data, combined with insufficient output escaping in the map rendering logic.\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Unauthenticated Stored XSS.\n*   **Location:** The vulnerability resides in the AJAX handlers registered in `mappress_api.php` (specifically those lacking `current_user_can` checks) and the rendering logic in `mappress_map.php` \u002F `mappress_poi.php`.\n*   **Cause:** The plugin registers `wp_ajax_nopriv_` versions of map-saving actions. These actions do not verify that the requester has the `edit_posts` or `manage_options` capability. Furthermore, the `to_html()` methods for Maps and POIs (Points of Interest) do not properly escape all fields (like POI body content) before outputting them to the page.\n\n### 2. Attack Vector Analysis\n*   **Vulnerable Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`.\n*   **Action:** `mapp_save` (inferred action for saving\u002Fcreating maps).\n*   **HTTP Parameter:** `map` (JSON string containing map and POI data).\n*   **Authentication:** Unauthenticated (No login required).\n*   **Preconditions:** The site must have the plugin active. The exploit is more effective if a MapPress map or \"Mashup\" is already displayed on a public page, or if the attacker can identify the `oid` (Object ID) of an existing post to attach a map to.\n\n### 3. Code Flow\n1.  **Entry Point:** An unauthenticated attacker sends a POST request to `admin-ajax.php` with `action=mapp_save`.\n2.  **Dispatch:** WordPress matches the action to the handler registered via `add_action('wp_ajax_nopriv_mapp_save', ...)` in `mappress_api.php`.\n3.  **Lack of Authorization:** The handler in `mappress_api.php` processes the request without calling `current_user_can()`.\n4.  **Data Processing:** The handler parses the `map` JSON parameter. It may call `new Mappress_Map($json_data)` and then `$map->save()`.\n5.  **Persistence:** The `save()` method (in `mappress_obj.php` or `mappress_db.php`) writes the unsanitized or insufficiently sanitized POI titles\u002Fbodies to the `{wp_prefix}mappress_maps` or `{wp_prefix}mappress_posts` tables.\n6.  **Rendering (Sink):** When a user views the post\u002Fpage, `Mappress_Map::to_html()` is called (likely via `the_content` filter). It iterates through POIs, calling `$poi->to_html()`.\n7.  **Execution:** If `$poi->to_html()` returns the POI `body` or `title` without `esc_html()` or `wp_kses()`, the injected `\u003Cscript>` executes in the victim's browser.\n\n### 4. Nonce Acquisition Strategy\nMapPress uses `wp_localize_script` to pass configuration and nonces to the frontend.\n*   **Shortcode:** The plugin's scripts are typically enqueued when the `[mappress]` shortcode is present.\n*   **Strategy:**\n    1.  Create a sacrificial page with the shortcode: `wp post create --post_type=page --post_status=publish --post_title=\"Map\" --post_content='[mappress]'`.\n    2.  Navigate to this page.\n    3.  Extract the nonce from the `mapp_data` (inferred) JavaScript object.\n*   **JS Variable:** `window.mapp_data?.nonce` or `window.mappress_data?.nonce`.\n*   **Verification:** Check the `mappress.php` or `mappress_map.php` files for calls to `wp_create_nonce`. If `check_ajax_referer` is called in the save handler, the action string must match the one used in `wp_create_nonce`.\n\n### 5. Exploitation Strategy\n1.  **Setup:** Place a map on a page to identify its structure.\n2.  **Payload Preparation:** Create a JSON object representing a Map with a malicious POI.\n    ```json\n    {\n      \"title\": \"Normal Map\",\n      \"pois\": [\n        {\n          \"title\": \"XSS\",\n          \"body\": \"Location info\u003Cscript>alert(document.domain)\u003C\u002Fscript>\",\n          \"point\": {\"lat\": 0, \"lng\": 0}\n        }\n      ]\n    }\n    ```\n3.  **HTTP Request:**\n    *   **Method:** `POST`\n    *   **URL:** `http:\u002F\u002Fexample.com\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n    *   **Body:**\n        ```\n        action=mapp_save&_wpnonce=[NONCE]&map={\"title\":\"XSS_Map\",\"pois\":[{\"title\":\"XSS\",\"body\":\"\u003Cimg src=x onerror=alert(1)>\"}]}\n        ```\n4.  **Injection:** If the response is a JSON success message (e.g., `{\"success\": true, \"mapid\": 123}`), the XSS is stored.\n\n### 6. Test Data Setup\n*   **Plugin:** Install MapPress Maps for WordPress v2.97.3.\n*   **Content:** Create one public post with ID `1`.\n*   **Shortcode:** `wp post create --post_type=page --post_status=publish --post_content='[mappress]'` to ensure nonces are generated and scripts are loaded.\n\n### 7. Expected Results\n*   The `admin-ajax.php` request returns a `200 OK` with a success status, even though no cookies are sent.\n*   When navigating to the page where the map is rendered, an alert box appearing with `1` (or `document.domain`) confirms the Stored XSS.\n\n### 8. Verification Steps\n1.  **DB Check:** Use `wp db query \"SELECT title, body FROM wp_mappress_maps\"` (or the appropriate table identified in `mappress_db.php`) to confirm the payload is stored verbatim.\n2.  **Log Check:** Verify no \"Forbidden\" or \"403\" errors occurred during the AJAX POST.\n3.  **Render Check:** View the source of the page containing the map and look for the raw `\u003Cimg src=x onerror=alert(1)>` inside the `mappress-map` component or POI list.\n\n### 9. Alternative Approaches\n*   **REST API:** If the AJAX actions are secured but the plugin registered REST routes in `mappress_api.php`, check `register_rest_route` for missing `permission_callback` arguments (or those returning `__return_true`).\n*   **POI List XSS:** Some templates render a list of POIs below the map. Check `templates\u002Fmashup-modal.php` or `mappress_template.php` to see if the `body` field is escaped there.\n*   **Map Alignment\u002FClass:** In `mappress_map.php`, the `$class` and `$alignment` variables are part of the object. Test if these can be used to break out of the `\u003Cmappress-map>` attributes: `map={\"class\": '\">\u003Cscript>alert(1)\u003C\u002Fscript>'}`.","The MapPress Maps for WordPress plugin is vulnerable to unauthenticated stored Cross-Site Scripting due to a lack of authorization checks in its AJAX saving routines and insufficient output escaping of map attributes. An attacker can submit a malicious map configuration containing JavaScript, which is then executed in the context of any user viewing a page where the map is rendered.","\u002F\u002F mappress_map.php line 56\n$name = (isset($vars['name']) ? $vars['name'] : 'noname');\n\n\u002F\u002F ...\n\n\u002F\u002F mappress_map.php line 59\nreturn \"\u003Cdiv>\u003C\u002Fdiv>\\r\\n\u003Cmappress-map id={$name} {$atts}>\\r\\n$pois\\r\\n\u003C\u002Fmappress-map>\\r\\n\";","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmappress-google-maps-for-wordpress\u002F2.97.3\u002Fmappress_map.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmappress-google-maps-for-wordpress\u002F2.97.4\u002Fmappress_map.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmappress-google-maps-for-wordpress\u002F2.97.3\u002Fmappress_map.php\t2026-06-11 02:40:52.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmappress-google-maps-for-wordpress\u002F2.97.4\u002Fmappress_map.php\t2026-06-11 02:40:52.000000000 +0000\n@@ -56,7 +56,7 @@\n \t\t$name = (isset($vars['name']) ? $vars['name'] : 'noname');\n \t\t\n \t\t\u002F\u002F Extra div forces web component out of phrasing elements like \u003Cp>\n-\t\treturn \"\u003Cdiv>\u003C\u002Fdiv>\\r\\n\u003Cmappress-map id={$name} {$atts}>\\r\\n$pois\\r\\n\u003C\u002Fmappress-map>\\r\\n\";\n+\t\treturn \"\u003Cdiv>\u003C\u002Fdiv>\\r\\n\u003Cmappress-map id=\\\"\" . esc_attr($name) . \"\\\" {$atts}>\\r\\n$pois\\r\\n\u003C\u002Fmappress-map>\\r\\n\";        \n \t}","An unauthenticated attacker sends a POST request to admin-ajax.php with the action 'mapp_save' (or similar map-saving action), which is registered for unauthenticated users via wp_ajax_nopriv_ but lacks authorization checks. The attacker includes a 'map' JSON parameter containing a malicious payload in fields like the map 'name' or POI 'body'. When the map is subsequently rendered on a page via the [mappress] shortcode, the plugin's to_html() method in mappress_map.php outputs the unsanitized map ID and attributes directly into the HTML, triggering the stored script in the context of the victim's browser.","gemini-3-flash-preview","2026-06-25 20:11:12","2026-06-25 20:12:36",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","2.97.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmappress-google-maps-for-wordpress\u002Ftags\u002F2.97.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmappress-google-maps-for-wordpress.2.97.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmappress-google-maps-for-wordpress\u002Ftags\u002F2.97.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmappress-google-maps-for-wordpress.2.97.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmappress-google-maps-for-wordpress\u002Ftags"]