High severity7.2NVD Advisory· Published Apr 4, 2022· Updated Jun 17, 2026
CVE-2022-0537
CVE-2022-0537
Description
The MapPress Maps for WordPress plugin before 2.73.13 allows a high privileged user to bypass the DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS settings and upload arbitrary files to the site through the "ajax_save" function. The file is written relative to the current 's stylesheet directory, and a .php file extension is added. No validation is performed on the content of the file, triggering an RCE vulnerability by uploading a web shell. Further the name parameter is not sanitized, allowing the payload to be uploaded to any directory to which the server has write access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <2.73.13
Patches
Vulnerability mechanics
References
1- wpscan.com/vulnerability/abfbba70-5158-4990-98e5-f302361db367nvdExploitThird Party Advisory
News mentions
0No linked articles in our index yet.