MapPress Maps for WordPress < 2.88.16 - Unauthenticated Arbitrary Private/Draft Post Disclosure

Vulnerability

MapPress Maps for WordPress versions before 2.88.16 are vulnerable to an Insecure Direct Object Reference (IDOR) flaw. The plugin fails to verify that posts retrieved via an AJAX action are public maps, allowing unauthenticated users to read arbitrary private and draft posts [1]. Version 2.88.15 attempted to fix the issue but still permitted any authenticated user (e.g., subscribers) to access such posts [1].

Exploitation

An unauthenticated attacker can exploit the AJAX action without any prior authentication or user interaction. The attacker sends a crafted request referencing the ID of a private or draft post, and the plugin returns the post content because it does not enforce proper access controls on the AJAX endpoint [1].

Impact

Successful exploitation leads to unauthorized disclosure of private and draft post content. This is a confidentiality breach where an attacker can read sensitive information intended to be hidden from the public or restricted to certain roles.

Mitigation

Update to version 2.88.16 or later, which enforces proper authorization checks and ensures only public maps are retrievable via the AJAX endpoint [1]. No other workarounds are documented.