WordPress Plugin Vulnerabilities
MapPress Maps for WordPress < 2.88.16 - Unauthenticated Arbitrary Private/Draft Post Disclosure
Description
The plugin does not ensure that posts to be retrieve via an AJAX action is a public map, allowing unauthenticated users to read arbitrary private and draft posts.
The fix made in 2.88.15 is not sufficient as it still allowed any authenticated users, such s subscriber to read arbitrary private and draft posts.
Proof of Concept
As an unauthenticated user, view the source of a page containing a Map from the plugin and retrieve the nonce from the mappl10n['options']['nonce'] JavaScript var, then open the below URL (replacing the oid by the ID or a private or draft post) https://example.com/wp-admin/admin-ajax.php?action=mapp_get_post&oid=53&nonce=eef7edf9b9
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
Miscellaneous
Submitter
Erwan LR
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2024-01-17 (about 3 months ago)
Added
2024-01-17 (about 3 months ago)
Last Updated
2024-01-17 (about 3 months ago)