MapPress Maps < 2.53.9 - Authenticated Map Creation/Deletion Leading to Stored Cross-Site Scripting (XSS)

Description

Both the Free and Pro versions of this plugin register AJAX actions that call functions which lack capability checks and nonce checks. It is possible for a logged-in attacker with minimal permissions, such as a subscriber, to add a map containing malicious JavaScript to an arbitrary post or page by sending a $_POST request to wp-admin/admin-ajax.php with the action parameter set to mapp_save, the postid parameter set to the post to add the map to, and the map parameter containing JSON data representing the map to be added - specifically, malicious JavaScript can be added to the title and body parameters of a Point of Interest in the saved map, which would be executed whenever a visitor to the site clicked on the Pin denoting that Point of Interest. Alternatively, if the global setting for Show a list of POIs with each map is enabled, then this would cause the JavaScript to be executed immediately upon visiting an
affected post.