CVE-2026-8839

Vulnerability

The MapPress Maps for WordPress plugin is vulnerable to an authorization bypass in all versions up to and including 2.96.6. This vulnerability exists in the REST API routes registered via Mappress_Api::rest_api_init(). Specifically, the GET /wp-json/mapp/v1/maps/{mapid} endpoint uses 'permission_callback' => '__return_true', and write endpoints (POST update, DELETE, PATCH mutate, POST clone, POST empty_trash) only check the generic edit_posts capability without verifying map ownership. This is not compensated at the model layer, as Mappress_Map::get(), save(), delete(), mutate(), and empty_trash() operate on any caller-supplied map ID without an ownership check [1].

Exploitation

Unauthenticated attackers can enumerate map IDs to read sensitive map data, including POI titles, addresses, coordinates, and body content. Authenticated attackers with Contributor-level access or higher can modify, delete, trash/restore, or clone any map on the site, regardless of its author, by exploiting the missing ownership verification in the REST API endpoints [1].

Impact

Successful exploitation allows unauthenticated attackers to disclose sensitive map data. Authenticated attackers can achieve unauthorized modification, deletion, or cloning of any map on the site, impacting data integrity and availability. The scope of the compromise is limited to the maps managed by the plugin.

Mitigation

The vulnerability was fixed in version 2.97.1, released on 2026-05-28 [1]. Users are advised to update to version 2.97.1 or later to mitigate this vulnerability.