Threat Entry Updated 2026-06-17

CVE-2026-8839 - Mappress Google Maps For Wordpress Plugin

The MapPress Maps for WordPress plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.96.6. This is due to missing ownership verification in the REST API routes registered via `Mappress_Api::rest_api_init()`, where the GET `/wp-json/mapp/v1/maps/{mapid}` endpoint uses `'permission_callback' => '__return_true'` and the write endpoints (POST update, DELETE, PATCH mutate, POST clone, POST empty_trash) only check the generic `edit_posts` capability without confirming that the requester owns the targeted map — a gap that is not compensated at the model layer, as `Mappress_Map::get()`, `save()`,…

PLUGIN Mappress Google Maps For Wordpress

CVE-2026-8839

MEDIUM CVSS 5.3 2026-06-06

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-4840 - Mappress Google Maps For Wordpress Plugin

The MapPress Maps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'mappress' shortcode in versions up to, and including, 2.88.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Mappress Google Maps For Wordpress

CVE-2023-4840

MEDIUM CVSS 6.4 2023-09-12

Risk Score

Open Full Technical Breakdown