Description
The MapPress Maps for WordPress plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.96.6. This is due to missing ownership verification in the REST API routes registered via `Mappress_Api::rest_api_init()`, where the GET `/wp-json/mapp/v1/maps/{mapid}` endpoint uses `'permission_callback' => '__return_true'` and the write endpoints (POST update, DELETE, PATCH mutate, POST clone, POST empty_trash) only check the generic `edit_posts` capability without confirming that the requester owns the targeted map — a gap that is not compensated at the model layer, as `Mappress_Map::get()`, `save()`, `delete()`, `mutate()`, and `empty_trash()` all operate on any caller-supplied map ID without an ownership check. This makes it possible for unauthenticated attackers to read sensitive map data — including POI titles, addresses, coordinates, and body content — for any map on the site by enumerating map IDs, and for authenticated attackers with Contributor-level access and above to modify, delete, trash/restore, or clone any map regardless of its author.
Published: 2026-06-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the REST API endpoints of the MapPress Maps for WordPress plugin, where ownership validation is omitted. An attacker can enumerate map identifiers and read detailed information—such as names, addresses, coordinates, and map descriptions—without any authentication. Users with low‑privilege roles such as Contributor are able to update, delete, clone, and manipulate any map regardless of ownership. This breach of access control permits data leakage and unauthorized modification of map assets.

Affected Systems

The plug‑in vendor "chrisvrichardson" provides the product "MapPress Maps for WordPress". Versions up to and including 2.96.6 are vulnerable. Site administrators should verify the plugin version and upgrade if it falls within this range.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, yet the lack of authentication on read paths means the risk of data exposure is significant. The EPSS score is unavailable, and the vulnerability is not listed in CISA’s KEV catalog, but the attack vector is likely straightforward—an attacker can issue HTTP requests to the exposed REST endpoints without credentials or with minimal Contributor permissions. Because no ownership checks exist in the model layer, exploitation does not depend on complex prerequisites beyond map ID enumeration or possessing basic editing rights.

Generated by OpenCVE AI on June 6, 2026 at 06:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MapPress Maps for WordPress plugin to version 2.97.1 or later to restore ownership validation on the REST API routes.
  • Modify user role capabilities so that Contributors and other non‑author users lack the ability to edit or delete maps; only content authors should retain those privileges.
  • Audit existing maps for unused or orphaned map IDs and delete or discard them to reduce the attack surface exposed via enumeration.

Generated by OpenCVE AI on June 6, 2026 at 06:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L253 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L268 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L328 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L39 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L50 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L75 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L90 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_map.php#L239 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_map.php#L379 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_map.php#L493 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_map.php#L550 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L253 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L268 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L328 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L39 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L50 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L75 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L90 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_map.php#L239 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_map.php#L379 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_map.php#L493 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_map.php#L550 cve-icon cve-icon
https://plugins.trac.wordpress.org/changeset?old_path=/mappress-google-maps-for-wordpress/tags/2.96.6&new_path=/mappress-google-maps-for-wordpress/tags/2.97.1 cve-icon cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/9f402aa7-24d6-448b-a1d3-5ee7c90b39bc?source=cve cve-icon cve-icon
History

Sat, 06 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 06 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Chrisrichardson
Chrisrichardson mappress Maps For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Chrisrichardson
Chrisrichardson mappress Maps For Wordpress
Wordpress
Wordpress wordpress

Sat, 06 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
Description The MapPress Maps for WordPress plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.96.6. This is due to missing ownership verification in the REST API routes registered via `Mappress_Api::rest_api_init()`, where the GET `/wp-json/mapp/v1/maps/{mapid}` endpoint uses `'permission_callback' => '__return_true'` and the write endpoints (POST update, DELETE, PATCH mutate, POST clone, POST empty_trash) only check the generic `edit_posts` capability without confirming that the requester owns the targeted map — a gap that is not compensated at the model layer, as `Mappress_Map::get()`, `save()`, `delete()`, `mutate()`, and `empty_trash()` all operate on any caller-supplied map ID without an ownership check. This makes it possible for unauthenticated attackers to read sensitive map data — including POI titles, addresses, coordinates, and body content — for any map on the site by enumerating map IDs, and for authenticated attackers with Contributor-level access and above to modify, delete, trash/restore, or clone any map regardless of its author.
Title MapPress Maps for WordPress <= 2.96.6 - Unauthenticated Insecure Direct Object Reference via REST API Endpoints
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Chrisrichardson Mappress Maps For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-06T11:42:35.794Z

Reserved: 2026-05-18T15:18:31.311Z

Link: CVE-2026-8839

cve-icon Vulnrichment

Updated: 2026-06-06T11:42:31.156Z

cve-icon NVD

Status : Received

Published: 2026-06-06T05:16:29.510

Modified: 2026-06-06T05:16:29.510

Link: CVE-2026-8839

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T06:30:14Z

Weaknesses