Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

CVE-2026-8839

PUBLISHED 06.06.2026

CNA: Wordfence

MapPress Maps for WordPress <= 2.96.6 - Unauthenticated Insecure Direct Object Reference via REST API Endpoints

Обновлено: 06.06.2026
The MapPress Maps for WordPress plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.96.6. This is due to missing ownership verification in the REST API routes registered via `Mappress_Api::rest_api_init()`, where the GET `/wp-json/mapp/v1/maps/{mapid}` endpoint uses `'permission_callback' => '__return_true'` and the write endpoints (POST update, DELETE, PATCH mutate, POST clone, POST empty_trash) only check the generic `edit_posts` capability without confirming that the requester owns the targeted map — a gap that is not compensated at the model layer, as `Mappress_Map::get()`, `save()`, `delete()`, `mutate()`, and `empty_trash()` all operate on any caller-supplied map ID without an ownership check. This makes it possible for unauthenticated attackers to read sensitive map data — including POI titles, addresses, coordinates, and body content — for any map on the site by enumerating map IDs, and for authenticated attackers with Contributor-level access and above to modify, delete, trash/restore, or clone any map regardless of its author.

CWE

Идентификатор Описание
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

CVSS

Оценка Severity Версия Базовый вектор
5.3 MEDIUM 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Доп. Информация

Product Status

MapPress Maps for WordPress
Product: MapPress Maps for WordPress
Vendor: chrisvrichardson
Default status: unaffected
Версии:
Затронутые версии Статус
Наблюдалось до версии 2.96.6 affected
 

Ссылки

https://www.wordfence.com/threat-intel/vulnerabilities/id/9f402aa7-24d6-448b-a1d3-5ee7c90b39bc?source=cve
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L328
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L328
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L90
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L268
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L39
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L253
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L50
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L75
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_map.php#L239
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_map.php#L493
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_map.php#L379
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_map.php#L550
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L90
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L268
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L39
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L253
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L50
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L75
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_map.php#L239
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_map.php#L493
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_map.php#L379
https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_map.php#L550
https://plugins.trac.wordpress.org/changeset?old_path=/mappress-google-maps-for-wordpress/tags/2.96.6&new_path=/mappress...

CISA ADP Vulnrichment

Обновлено: 06.06.2026
Этот блок содержит дополнительную информацию, предоставленную программой CVE для этой уязвимости.

SSVC

Exploitation Automatable Technical Impact Версия Дата доступа
none yes partial 2.0.3 06.06.2026

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.