Description
Missing Authorization vulnerability in Chandni Patel WP MapIt wp-mapit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP MapIt: from n/a through <= 3.0.3.
Published: 2026-01-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access due to broken access control
Action: Upgrade plugin
AI Analysis

Impact

The vulnerability stems from a missing authorization check within the WP MapIt plugin, which allows an attacker to exploit incorrectly configured access control levels. This flaw can enable unauthorized users to access or manipulate features that should be restricted, potentially exposing sensitive map data or permitting unwanted modifications. The weakness is a classic example of broken access control (CWE‑862), leading directly to privilege escalation within the WordPress environment.

Affected Systems

The affected product is the WordPress plugin WP MapIt developed by Chandni Patel. Any installation of WP MapIt version 3.0.3 or earlier is vulnerable. The vulnerability is present across all WordPress sites that have this plugin enabled, regardless of other security configurations.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, meaning no known exploits have been publicly reported. Based on the description, the likely attack vector is through the plugin's web interfaces, where an attacker could issue HTTP requests to restricted endpoints without proper authorization checks. While the data indicates missing authorization, detailed exploitation conditions are not explicitly disclosed, so it is inferred that any user who can send requests to the plugin may attempt to elevate their privileges.

Generated by OpenCVE AI on April 16, 2026 at 17:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP MapIt to a version later than 3.0.3, if an upgrade is available from the vendor.
  • If an upgrade cannot be performed immediately, disable or uninstall the WP MapIt plugin to eliminate the attack surface.
  • Monitor the WordPress site for any unauthorized activity and review the access logs for suspicious requests to plugin URLs.

Generated by OpenCVE AI on April 16, 2026 at 17:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 26 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Chandnipatel
Chandnipatel wp Mapit
Wordpress
Wordpress wordpress
Vendors & Products Chandnipatel
Chandnipatel wp Mapit
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Chandni Patel WP MapIt wp-mapit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP MapIt: from n/a through <= 3.0.3.
Title WordPress WP MapIt plugin <= 3.0.3 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Chandnipatel Wp Mapit
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:57.457Z

Reserved: 2026-01-07T13:44:06.688Z

Link: CVE-2026-22466

cve-icon Vulnrichment

Updated: 2026-01-26T19:13:24.938Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:35.400

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22466

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:00:11Z

Weaknesses