MapPress Maps for WordPress < 2.88.16 – Unauthenticated Arbitrary Private/Draft Post Disclosure | CVE 2024-0421 | Plugin Vulnerabilities

Description

The plugin is affected by an IDOR as it does not ensure that posts to be retrieve via an AJAX action is a public map, allowing unauthenticated users to read arbitrary private and draft posts.

The fix made in 2.88.15 is not sufficient as it still allowed any authenticated users, such s subscriber to read arbitrary private and draft posts.

Proof of Concept

As an unauthenticated user, view the source of a page containing a Map from the plugin and retrieve the nonce from the mappl10n['options']['nonce'] JavaScript var, then open the below URL (replacing the oid by the ID or a private or draft post)

https://example.com/wp-admin/admin-ajax.php?action=mapp_get_post&oid=53&nonce=eef7edf9b9

Affects Plugins

mappress-google-maps-for-wordpress

Fixed in 2.88.16

References

CVE

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Submitter

Erwan LR

Verified

Yes

WPVDB ID

587acc47-1966-4baf-a380-6aa479a97c82

Timeline

Publicly Published

2024-01-17 (about 1 year ago)

Added

2024-01-17 (about 1 year ago)

Last Updated

2024-08-30 (about 1 year ago)

Other

Published

Title

Published

2025-03-07

Title

FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel < 2.4.30 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Post/Page Updates

Published

2023-12-05

Title

WP Photo Album Plus < 8.6.01.003 - Insecure Direct Object Reference

Published

2024-09-17

Title

Houzez Login Register < 3.3.0 - Subscriber+ Privilege Escalation via Account Takeover

Published

2025-11-11

Title

Payment Plugins Braintree For WooCommerce < 3.2.79 - Missing Authorization to Payment Token Exposure and Transaction Fraud

Published

2023-11-03

Title

Youzify < 1.2.3 - Insecure Direct Object Reference