MapPress Maps
by WordPress
CVEs (6)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-0537 | Hig | 0.47 | 7.2 | 0.01 | Apr 4, 2022 | The MapPress Maps for WordPress plugin before 2.73.13 allows a high privileged user to bypass the DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS settings and upload arbitrary files to the site through the "ajax_save" function. The file is written relative to the current 's stylesheet… | ||
| CVE-2025-2055 | Med | 0.44 | 6.8 | 0.00 | Apr 3, 2025 | The MapPress Maps for WordPress plugin before 2.94.9 does not sanitise and escape some parameters when outputing them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks. | ||
| CVE-2022-0208 | Med | 0.40 | 6.1 | 0.02 | Feb 14, 2022 | The MapPress Maps for WordPress plugin before 2.73.4 does not sanitise and escape the mapid parameter before outputting it back in the "Bad mapid" error message, leading to a Reflected Cross-Site Scripting | ||
| CVE-2024-0420 | Med | 0.35 | 5.4 | 0.00 | Feb 12, 2024 | The MapPress Maps for WordPress plugin before 2.88.15 does not sanitize and escape the map title when outputting it back in the admin dashboard, allowing Contributors and above roles to perform Stored Cross-Site Scripting attacks | ||
| CVE-2024-0421 | Med | 0.34 | 5.3 | 0.01 | Feb 12, 2024 | The MapPress Maps for WordPress plugin before 2.88.16 is affected by an IDOR as it does not ensure that posts to be retrieve via an AJAX action is a public map, allowing unauthenticated users to read arbitrary private and draft posts. | ||
| CVE-2025-2162 | Med | 0.31 | 4.8 | 0.00 | Apr 18, 2025 | The MapPress Maps for WordPress plugin before 2.94.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in… |
- risk 0.47cvss 7.2epss 0.01
The MapPress Maps for WordPress plugin before 2.73.13 allows a high privileged user to bypass the DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS settings and upload arbitrary files to the site through the "ajax_save" function. The file is written relative to the current 's stylesheet…
- risk 0.44cvss 6.8epss 0.00
The MapPress Maps for WordPress plugin before 2.94.9 does not sanitise and escape some parameters when outputing them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.
- risk 0.40cvss 6.1epss 0.02
The MapPress Maps for WordPress plugin before 2.73.4 does not sanitise and escape the mapid parameter before outputting it back in the "Bad mapid" error message, leading to a Reflected Cross-Site Scripting
- risk 0.35cvss 5.4epss 0.00
The MapPress Maps for WordPress plugin before 2.88.15 does not sanitize and escape the map title when outputting it back in the admin dashboard, allowing Contributors and above roles to perform Stored Cross-Site Scripting attacks
- risk 0.34cvss 5.3epss 0.01
The MapPress Maps for WordPress plugin before 2.88.16 is affected by an IDOR as it does not ensure that posts to be retrieve via an AJAX action is a public map, allowing unauthenticated users to read arbitrary private and draft posts.
- risk 0.31cvss 4.8epss 0.00
The MapPress Maps for WordPress plugin before 2.94.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in…