VYPR

MapPress Maps

by WordPress

CVEs (6)

  • CVE-2022-0537HigApr 4, 2022
    risk 0.47cvss 7.2epss 0.01

    The MapPress Maps for WordPress plugin before 2.73.13 allows a high privileged user to bypass the DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS settings and upload arbitrary files to the site through the "ajax_save" function. The file is written relative to the current 's stylesheet…

  • CVE-2025-2055MedApr 3, 2025
    risk 0.44cvss 6.8epss 0.00

    The MapPress Maps for WordPress plugin before 2.94.9 does not sanitise and escape some parameters when outputing them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.

  • CVE-2022-0208MedFeb 14, 2022
    risk 0.40cvss 6.1epss 0.02

    The MapPress Maps for WordPress plugin before 2.73.4 does not sanitise and escape the mapid parameter before outputting it back in the "Bad mapid" error message, leading to a Reflected Cross-Site Scripting

  • CVE-2024-0420MedFeb 12, 2024
    risk 0.35cvss 5.4epss 0.00

    The MapPress Maps for WordPress plugin before 2.88.15 does not sanitize and escape the map title when outputting it back in the admin dashboard, allowing Contributors and above roles to perform Stored Cross-Site Scripting attacks

  • CVE-2024-0421MedFeb 12, 2024
    risk 0.34cvss 5.3epss 0.01

    The MapPress Maps for WordPress plugin before 2.88.16 is affected by an IDOR as it does not ensure that posts to be retrieve via an AJAX action is a public map, allowing unauthenticated users to read arbitrary private and draft posts.

  • CVE-2025-2162MedApr 18, 2025
    risk 0.31cvss 4.8epss 0.00

    The MapPress Maps for WordPress plugin before 2.94.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in…