WP Go Maps <= 10.1.01 - Unauthenticated Arbitrary Record Creation

An unauthenticated attacker sends a POST request to the wp-admin/admin-ajax.php endpoint with the action parameter set to wpgmza_rest_api_request and a route parameter matching a registered pattern (e.g., /features/). The attacker also supplies a phpClass parameter containing a WPGMZA-namespaced class name such as WPGMZA\Map or WPGMZA\Marker. Because the onAJAXRequest method [ref_id=1] iterates over fallbackRoutesByRegex and calls the stored callback without checking the permission_callback when the route was registered without one, the request proceeds to the features() or markers() handler which instantiates the supplied class and triggers an INSERT into the corresponding plugin database table.

The vulnerability is in the onAJAXRequest method of the RestAPI class in wp-google-maps/tags/10.0.10/includes/class.rest-api.php [ref_id=1]. This method handles AJAX fallback requests when the REST API is blocked and iterates over fallbackRoutesByRegex to find a matching route, but it only checks the permission_callback if one was set in the $args array; routes registered without a permission_callback (such as the GET-only routes for features, markers, etc.) are executed without any authorization check.

The advisory does not include a patch, but the fix would need to ensure that the AJAX fallback handler (onAJAXRequest) in class.rest-api.php [ref_id=1] enforces the permission_callback for all routes, not just those that had one set during registration. Specifically, the handler should validate that the requesting user has the required capability (e.g., isUserAllowedToEdit) before allowing any POST or DELETE requests to proceed, regardless of whether the route was registered with a permission_callback.