CVE-2026-8839: MapPress Maps WordPress Plugin Authorization Bypass Vulnerability
MapPress Maps for WordPress, a popular mapping plugin, contains a critical authorization flaw affecting all versions through 2.96.6. The plugin's REST API endpoints fail to verify whether the person making a request actually owns the map they're trying to access. This means unauthenticated attackers can read any map's sensitive details—locations, coordinates, addresses, and descriptions—simply by guessing map IDs, while legitimate WordPress users with contributor-level access or higher can modify, delete, or duplicate maps they don't own.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-639
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-06 / 2026-06-17
NVD description (verbatim)
The MapPress Maps for WordPress plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.96.6. This is due to missing ownership verification in the REST API routes registered via `Mappress_Api::rest_api_init()`, where the GET `/wp-json/mapp/v1/maps/{mapid}` endpoint uses `'permission_callback' => '__return_true'` and the write endpoints (POST update, DELETE, PATCH mutate, POST clone, POST empty_trash) only check the generic `edit_posts` capability without confirming that the requester owns the targeted map — a gap that is not compensated at the model layer, as `Mappress_Map::get()`, `save()`, `delete()`, `mutate()`, and `empty_trash()` all operate on any caller-supplied map ID without an ownership check. This makes it possible for unauthenticated attackers to read sensitive map data — including POI titles, addresses, coordinates, and body content — for any map on the site by enumerating map IDs, and for authenticated attackers with Contributor-level access and above to modify, delete, trash/restore, or clone any map regardless of its author.
24 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from two distinct authorization failures in the MapPress REST API implementation. First, the GET endpoint `/wp-json/mapp/v1/maps/{mapid}` uses `'permission_callback' => '__return_true'`, permitting unauthenticated access to any map. Second, write operations (POST update, DELETE, PATCH mutate, POST clone, POST empty_trash) only validate the generic `edit_posts` capability without confirming ownership of the specific map resource. This pattern repeats at the model layer: the underlying `Mappress_Map` methods (`get()`, `save()`, `delete()`, `mutate()`, `empty_trash()`) accept caller-supplied map IDs without performing any ownership checks, leaving the authorization decision entirely to the REST API layer, which itself is incomplete.
Business impact
Organizations using MapPress to manage location-based content—event venues, branch locations, property listings, or restricted point-of-interest databases—face exposure of geospatial data and associated metadata that may be sensitive or competitive. Authenticated attackers with contributor access can sabotage published maps by deletion or modification, disrupting site functionality and potentially damaging user trust. The ease of exploitation via simple ID enumeration means the attack surface is broad and requires no special tools or insider knowledge.
Affected systems
The MapPress Maps for WordPress plugin in all versions up to and including 2.96.6 is affected. Any WordPress installation using this plugin version range is vulnerable regardless of plugin configuration or visibility settings. The vulnerability requires only that the WordPress REST API is enabled (default in recent WordPress versions) and that the MapPress plugin is active.
Exploitability
Exploitation requires no authentication to read map data and trivial effort to enumerate map IDs. An attacker can discover maps by incrementing the map ID parameter and harvesting sensitive location data. Modifying or deleting maps requires a WordPress account with contributor-level permissions or higher, but once obtained, those accounts can tamper with any map. The lack of any additional controls (CAPTCHA, rate-limiting, audit logging at the API level) means attacks are difficult to detect in real time and can operate at scale.
Remediation
Update the MapPress Maps plugin immediately to the patched version. Verify against the official plugin repository or vendor advisory for the minimum safe version number. As an interim mitigation before patching, disable REST API access via a security plugin or `.htaccess` rule targeting `wp-json/mapp/` endpoints if the plugin cannot be updated immediately. Monitor logs for unusual `wp-json/mapp/` requests, particularly enumeration patterns in the mapid parameter.
Patch guidance
Obtain the latest version from the official MapPress plugin repository on wordpress.org and apply it via the WordPress admin panel or direct file replacement. Verify that the update includes ownership verification logic in both REST API permission callbacks and the underlying model methods. Test that unauthenticated requests to `/wp-json/mapp/v1/maps/` return 403 Forbidden rather than map data. Confirm that authenticated non-owner requests to modify or delete maps return 403 Forbidden.
Detection guidance
Monitor WordPress logs and audit trails for repeated requests to `/wp-json/mapp/v1/maps/` with sequential or random mapid values from the same IP, which suggests enumeration. Look for requests originating from users with contributor access that attempt modifications to maps owned by other authors. Enable query logging on the database and watch for unexpected writes to the MapPress tables originating from non-standard request contexts. Web application firewalls can be configured to flag POST/DELETE/PATCH requests to the mapp endpoint from unusual source IPs or at unusual times.
Why prioritize this
Although the CVSS score is Medium (5.3), the vulnerability combines high exploitability (unauthenticated, no user interaction) with low friction execution and potential impact across all published maps. Sites storing sensitive location data should prioritize patching. Organizations with strict authentication policies or those running older WordPress versions with lower contributor-base activity face lower risk but should still patch promptly.
Risk score, explained
The CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N score reflects network accessibility, low attack complexity, no authentication requirement, and integrity impact (modification/deletion). Confidentiality is rated as None because the vector focuses on the integrity dimension; however, in practice, the unauthenticated read access to map data represents a meaningful confidentiality concern that should factor into organizational risk assessment independent of the numeric score.
Frequently asked questions
Can we work around this without patching the plugin?
Temporarily, yes: disable REST API endpoints for MapPress via security plugins (like Wordfence or Sucuri) that allow granular REST route blocking, or configure your web server to deny requests to `/wp-json/mapp/`. However, this may break front-end map functionality if the plugin relies on REST API calls. The proper fix is to patch. Do not rely on this as a permanent solution.
How can we tell if we've been exploited?
Check web server logs for anomalous GET requests to `/wp-json/mapp/v1/maps/` with a range of mapid values, particularly if they originate from unusual geographies or outside business hours. Review the WordPress Posts table (or MapPress custom table) for unexpected modification timestamps on maps you didn't edit. Enable detailed logging on REST API requests if your security plugin supports it.
Do we need to update every site using MapPress?
Yes. Every installation running MapPress 2.96.6 or earlier is vulnerable to the read-access and write-access attacks described. Even if you trust your current users, the unauthenticated read access means external attackers can harvest map data without a WordPress account.
Will patching break our existing maps or functionality?
Patching should not affect the display or functionality of maps. The fix adds authorization checks without changing the data model or API structure. After patching, test that your maps render correctly and that users can still edit their own maps via the admin interface.
This analysis is based on the vulnerability description and does not constitute a guarantee of complete accuracy or coverage of all edge cases. Verify patch version numbers and details against the official MapPress plugin advisories and the WordPress plugin repository before deployment. Organizations should conduct their own testing in a non-production environment to confirm patch compatibility with their specific WordPress version, active plugins, and custom integrations. SEC.co and its staff do not provide warranty or indemnification for outcomes arising from reliance on this intelligence. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10038MEDIUMCharitable WordPress Plugin IDOR Arbitrary Attachment Deletion Vulnerability
- CVE-2026-10154MEDIUMDolibarr ERP CRM Authorization Bypass in Messaging Module
- CVE-2026-10212MEDIUMAstrBot 4.24.2 Authorization Bypass via Session ID Manipulation
- CVE-2026-10597MEDIUMOMICARD EDM Unauthenticated Email Disclosure Vulnerability
- CVE-2026-11142MEDIUMChrome Paint Same-Origin Policy Bypass Vulnerability
- CVE-2026-23638MEDIUMKiteworks IDOR Vulnerability in Secure Data Forms – Patch Guidance
- CVE-2026-24753MEDIUMKiteworks IDOR Vulnerability in Secure Data Forms – Patch to 9.3.0
- CVE-2026-24755MEDIUMKiteworks IDOR Authorization Flaw in Secure Data Forms