CVE-2026-8839
Authorization Bypass in MapPress Maps WordPress Plugin
Publication date: 2026-06-06
Last updated on: 2026-06-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mappress | mappress_maps | to 2.96.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The MapPress Maps for WordPress plugin is vulnerable to an Authorization Bypass through a user-controlled key in all versions up to 2.96.6. This happens because the plugin's REST API endpoints do not properly verify ownership of maps. Specifically, the GET endpoint allows anyone to read map data without permission checks, and the write endpoints only check if the user has generic edit permissions without confirming if they own the map. As a result, unauthenticated users can access sensitive map information, and authenticated users with Contributor-level access or higher can modify or delete any map regardless of ownership.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized access and modification of map data on your WordPress site. Unauthenticated attackers can read sensitive information such as points of interest titles, addresses, coordinates, and map content by enumerating map IDs. Additionally, attackers with Contributor-level access or higher can modify, delete, trash, restore, or clone any map regardless of who created it, potentially leading to data loss, misinformation, or unauthorized changes.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the vulnerable REST API endpoints without proper authorization. Specifically, you can test the GET endpoint /wp-json/mapp/v1/maps/{mapid} to see if map data is accessible without authentication.
You can use curl commands to test access to these endpoints. For example, to check if map data is exposed without authentication, run:
- curl -X GET https://yourwordpresssite.com/wp-json/mapp/v1/maps/1
If the response returns map data without requiring authentication, the vulnerability is present.
Similarly, for authenticated users with Contributor-level access or above, testing write endpoints (POST update, DELETE, PATCH mutate, POST clone, POST empty_trash) with various map IDs can reveal if unauthorized modifications are possible.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the MapPress Maps for WordPress plugin to a version later than 2.96.6 where this vulnerability is fixed.
If an update is not immediately possible, restrict access to the vulnerable REST API endpoints by implementing additional access controls, such as limiting REST API access to authenticated users only or using a web application firewall (WAF) to block unauthorized requests.
Additionally, review user roles and permissions to ensure that only trusted users have Contributor-level access or higher, minimizing the risk of unauthorized map modifications.