CVE-2026-8839
MediumCVSS 5.3Summary
The MapPress Maps for WordPress plugin is vulnerable to Authorization Bypass Through User-Controlled Key in versions up to and including 2.96.6. The lack of ownership verification in REST API routes allows unauthorized attackers to access sensitive map data.
Risk Assessment
The organization may be exposed to the leakage of sensitive information such as POI titles, addresses, and coordinates, which could lead to serious privacy and data security breaches.
Recommendation
It is recommended to update the MapPress Maps plugin to the latest version and implement additional ownership verification mechanisms in the REST API routes to secure access to map data.
Original NVD description (English source)
The MapPress Maps for WordPress plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.96.6. This is due to missing ownership verification in the REST API routes registered via `Mappress_Api::rest_api_init()`, where the GET `/wp-json/mapp/v1/maps/{mapid}` endpoint uses `'permission_callback' => '__return_true'` and the write endpoints (POST update, DELETE, PATCH mutate, POST clone, POST empty_trash) only check the generic `edit_posts` capability without confirming that the requester owns the targeted map — a gap that is not compensated at the model layer, as `Mappress_Map::get()`, `save()`, `delete()`, `mutate()`, and `empty_trash()` all operate on any caller-supplied map ID without an ownership check. This makes it possible for unauthenticated attackers to read sensitive map data — including POI titles, addresses, coordinates, and body content — for any map on the site by enumerating map IDs, and for authenticated attackers with Contributor-level access and above to modify, delete, trash/restore, or clone any map regardless of its author.

