CVE-2024-9235 HIGH

CVE-2024-9235: Mapster WP Maps <= 1.5.0 - Incorrect Authorization to Authenticated (Contributor+) Arbitrary Options Update

Vendor Mapster
Product Mapster WP Maps
Weakness CWE-285
Published October 25, 2024
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Mapster WP Maps plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to an insufficient capability check on the mapster_wp_maps_set_option_from_js() function in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with contributor-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Key dates

02Disclosure timeline

October 25, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-4474 Frontend Dashboard 1.0 - 2.2.7 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via fed_admin_setting_form_function Function CVE-2022-2595 Improper Authorization in kromitgmbh/titra CVE-2025-4521 IDonate 2.1.5 - 2.1.9 - Missing Authorization to Authenticated (Subscriber+) Account Takeover/Privilege Escalation via idonate_donor_profile Function CVE-2023-32717 Role-based Access Control (RBAC) Bypass on '/services/indexing/preview' REST Endpoint Can Overwrite Search Results CVE-2026-2010 Sanluan PublicCMS Trade Payment TradePaymentService.java paid improper authorization