CVE-2026-8839
published 2026-06-06CVE-2026-8839: The MapPress Maps for WordPress plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including…
PriorityP342medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EXPLOIT
EPSS
0.81%
52.4th percentile
The MapPress Maps for WordPress plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.96.6. This is due to missing ownership verification in the REST API routes registered via `Mappress_Api::rest_api_init()`, where the GET `/wp-json/mapp/v1/maps/{mapid}` endpoint uses `'permission_callback' => '__return_true'` and the write endpoints (POST update, DELETE, PATCH mutate, POST clone, POST empty_trash) only check the generic `edit_posts` capability without confirming that the requester owns the targeted map — a gap that is not compensated at the model layer, as `Mappress_Map::get()`, `save()`, `delete()`, `mutate()`, and `empty_trash()` all operate on any caller-supplied map ID without an ownership check. This makes it possible for unauthenticated attackers to read sensitive map data — including POI titles, addresses, coordinates, and body content — for any map on the site by enumerating map IDs, and for authenticated attackers with Contributor-level access and above to modify, delete, trash/restore, or clone any map regardless of its author.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chrisvrichardson | mappress_maps_for_wordpress | <= 2.96.6 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
chrisvrichardson MapPress Maps for WordPress Plugin up to 2.96.6 on WordPress REST API /wp-json/mapp/v1/maps rest_api_init authorization (EUVD-2026-34957)
vuldb·2026-06-06·CVSS 5.3
CVE-2026-8839 [MEDIUM] chrisvrichardson MapPress Maps for WordPress Plugin up to 2.96.6 on WordPress REST API /wp-json/mapp/v1/maps rest_api_init authorization (EUVD-2026-34957)
A vulnerability was found in chrisvrichardson MapPress Maps for WordPress Plugin up to 2.96.6 on WordPress. It has been rated as critical. Impacted is the function Mappress_Api::rest_api_init of the file /wp-json/mapp/v1/maps of the component REST API. Performing a manipulation results in authorization bypass.
This vulnerability was named CVE-2026-8839. The attack may be initiated remotely. There is no available exploit.
Upgrading the affected component is advised.
GHSA
The MapPress Maps for WordPress plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.96.6.
ghsa_unreviewed·2026-06-06
CVE-2026-8839 [MEDIUM] CWE-639 The MapPress Maps for WordPress plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.96.6.
The MapPress Maps for WordPress plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.96.6. This is due to missing ownership verification in the REST API routes registered via `Mappress_Api::rest_api_init()`, where the GET `/wp-json/mapp/v1/maps/{mapid}` endpoint uses `'permission_callback' => '__return_true'` and the write endpoints (POST update, DELETE, PATCH mutate, POST clone, POST empty_trash) only check the generic `edit_posts` capability without confirming that the requester owns the targeted map — a gap that is not compensated at the model layer, as `Mappress_Map::get()`, `save()`, `delete()`, `mutate()`, and `empty_trash()` all operate on any caller-supplied map ID without an ownership check. This makes it po
No detection rules found.
Nuclei
WordPress MapPress Maps <= 2.96.6 - Unauthenticated IDOR
nuclei·CVSS 5.3
CVE-2026-8839 [MEDIUM] WordPress MapPress Maps <= 2.96.6 - Unauthenticated IDOR
WordPress MapPress Maps <= 2.96.6 - Unauthenticated IDOR
MapPress Maps for WordPress <= 2.96.6 contains an authorization bypass caused by missing ownership verification in REST API routes, letting unauthenticated attackers read any map data and authenticated contributors modify any map, exploit requires crafted API requests
Template:
id: CVE-2026-8839
info:
name: WordPress MapPress Maps <= 2.96.6 - Unauthenticated IDOR
author: 0x_Akoko
severity: medium
description: |
MapPress Maps for WordPress <= 2.96.6 contains an authorization bypass caused by missing ownership verification in REST API routes, letting unauthenticated attackers read any map data and authenticated contributors modify any map, exploit requires crafted API requests
impact: |
Unauthenticated attackers can read sensitive
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L253https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L268https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L328https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L39https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L50https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L75https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L90https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_map.php#L239https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_map.php#L379https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_map.php#L493https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_map.php#L550https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L253https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L268https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L328https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L39https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L50https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L75https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L90https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_map.php#L239https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_map.php#L379https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_map.php#L493https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_map.php#L550https://plugins.trac.wordpress.org/changeset?old_path=/mappress-google-maps-for-wordpress/tags/2.96.6&new_path=/mappress-google-maps-for-wordpress/tags/2.97.1https://www.wordfence.com/threat-intel/vulnerabilities/id/9f402aa7-24d6-448b-a1d3-5ee7c90b39bc?source=cve
2026-06-06
Published