CVE-2026-8839 MEDIUM

CVE-2026-8839: MapPress Maps for WordPress <= 2.96.6 - Unauthenticated Insecure Direct Object Reference via REST API Endpoints

Vendor Chrisvrichardson
Product MapPress Maps for WordPress
Weakness CWE-639 · IDOR
Published June 6, 2026
Last update June 6, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The MapPress Maps for WordPress plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.96.6. This is due to missing ownership verification in the REST API routes registered via `Mappress_Api::rest_api_init()`, where the GET `/wp-json/mapp/v1/maps/{mapid}` endpoint uses `'permission_callback' => '__return_true'` and the write endpoints (POST update, DELETE, PATCH mutate, POST clone, POST empty_trash) only check the generic `edit_posts` capability without confirming that the requester owns the targeted map — a gap that is not compensated at the model layer, as `Mappress_Map::get()`, `save()`, `delete()`, `mutate()`, and `empty_trash()` all operate on any caller-supplied map ID without an ownership check. This makes it possible for unauthenticated attackers to read sensitive map data — including POI titles, addresses, coordinates, and body content — for any map on the site by enumerating map IDs, and for authenticated attackers with Contributor-level access and above to modify, delete, trash/restore, or clone any map regardless of its author.

Explanation of Vulnerability in Simple Terms

02Summary

MapPress Maps for WordPress versions up to 2.96.6 contain an integrity vulnerability allowing network-based modification of data without authentication. An attacker can alter information processed by the plugin, though confidentiality and availability are not affected. Update to a version newer than 2.96.6 to resolve this issue.

What an attacker can do

03Attacker Capabilities

Modify data processed by the MapPress plugin without needing to log in.

Potential impact on your site

04Site Impact

Attackers can alter map data or related content served by MapPress without site admin intervention.

Conditions required to exploit

05Prerequisites

Network access to the WordPress site; no authentication or user interaction required.

Key dates

06Disclosure timeline

June 6, 2026 CVE published
June 6, 2026 Record updated

Related vulnerabilities

08Related CVE