EUVD-2026-34957
GHSA-4m8c-59q5-hc8f
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The MapPress Maps for WordPress plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.96.6. This is due to missing ownership verification in the REST API routes registered via Mappress_Api::rest_api_init(), where the GET /wp-json/mapp/v1/maps/{mapid} endpoint uses 'permission_callback' => '__return_true' and the write endpoints (POST update, DELETE, PATCH mutate, POST clone, POST empty_trash) only check the generic edit_posts capability without confirming that the requester owns the targeted map - a gap that is not compensated at the model layer, as Mappress_Map::get(), save(), delete(), mutate(), and empty_trash() all operate on any caller-supplied map ID without an ownership check. This makes it possible for unauthenticated attackers to read sensitive map data - including POI titles, addresses, coordinates, and body content - for any map on the site by enumerating map IDs, and for authenticated attackers with Contributor-level access and above to modify, delete, trash/restore, or clone any map regardless of its author.
AnalysisAI
{mapid} endpoint - harvesting POI titles, addresses, geolocation coordinates, and body content - because the permission callback is hardcoded to __return_true. Separately, any authenticated user with at least Contributor-level WordPress access can issue write operations (update, delete, trash/restore, clone) against maps owned by other authors, because write endpoints gate only on the generic edit_posts capability and the model layer (Mappress_Map::get(), save(), delete(), mutate(), empty_trash()) performs no ownership validation at any depth. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The unauthenticated read path requires only that the MapPress Maps for WordPress plugin be installed and activated on a WordPress site; no credentials, session tokens, or special configuration are needed because the GET `/wp-json/mapp/v1/maps/{mapid}` endpoint uses `'permission_callback' => '__return_true'`, making it unconditionally accessible over the network to any HTTP client. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 5.3 (Medium) uses vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, which presents an internal inconsistency worth flagging: PR:N (no privileges required) and I:L (low integrity impact) appears to capture only the unauthenticated write side, yet C:N (no confidentiality impact) conflicts directly with the description's confirmation that unauthenticated users can read sensitive geolocation and address data - a confidentiality loss that would typically warrant at least C:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker discovers a WordPress site running MapPress by identifying the `/wp-json/mapp/v1/maps/` REST endpoint through passive enumeration or a Google dork targeting the plugin's REST namespace, then scripts sequential GET requests iterating integer map IDs from 1 upward, automatically collecting every map's POI titles, street addresses, and GPS coordinates in bulk - no credentials or prior knowledge of the site required. In a separate scenario, a low-trust Contributor account (e.g., a guest blogger or recently offboarded user) issues a DELETE or mutate REST request targeting the map IDs of an administrator's maps, permanently destroying or corrupting site content without any ownership check blocking the operation. |
| Remediation | No vendor-released patched version has been identified at time of analysis - the CPE wildcard covers all versions through 2.96.6 with no fixed release confirmed in available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that i
Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticat
The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin
The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline
Remote code execution in Edgar Rojas WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) allows un
Share
External POC / Exploit Code
Leaving vuln.today