Vulnerabilities ›

CVE-2026-8839

Medium

CWE-639 — Weakness Type

                    Published: Jun 6, 2026                      ·  Modified: Jun 9, 2026                      ·  Source: NVD                

CVSS v3

5.3

🔗 NVD Official

📄 Description (English)

The MapPress Maps for WordPress plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.96.6. This is due to missing ownership verification in the REST API routes registered via `Mappress_Api::rest_api_init()`, where the GET `/wp-json/mapp/v1/maps/{mapid}` endpoint uses `'permission_callback' => '__return_true'` and the write endpoints (POST update, DELETE, PATCH mutate, POST clone, POST empty_trash) only check the generic `edit_posts` capability without confirming that the requester owns the targeted map — a gap that is not compensated at the model layer, as `Mappress_Map::get()`, `save()`, `delete()`, `mutate()`, and `empty_trash()` all operate on any caller-supplied map ID without an ownership check. This makes it possible for unauthenticated attackers to read sensitive map data — including POI titles, addresses, coordinates, and body content — for any map on the site by enumerating map IDs, and for authenticated attackers with Contributor-level access and above to modify, delete, trash/restore, or clone any map regardless of its author.

🤖 AI Executive Summary

MapPress Maps for WordPress plugin versions up to 2.96.6 contain an authorization bypass vulnerability in REST API endpoints that allows unauthenticated attackers to read sensitive map data through ID enumeration and authenticated users to modify or delete maps they don't own. The vulnerability stems from missing ownership verification in both API permission callbacks and model-layer operations. With a CVSS score of 5.3 and no patch currently available, organizations using this plugin should immediately implement compensating controls.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Jun 6, 2026 10:16

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations using MapPress Maps plugin are at risk, particularly: (1) Government agencies and municipalities using WordPress for public information portals and location-based services; (2) Real estate and property management companies storing property locations and details; (3) Tourism and hospitality sectors using maps for venue/attraction information; (4) Healthcare facilities publishing clinic/hospital locations; (5) Retail and e-commerce businesses displaying store locations. The vulnerability allows unauthorized access to sensitive geographic data, coordinates, and associated metadata that could be exploited for reconnaissance, competitive intelligence, or physical security threats.

🏢 Affected Saudi Sectors

Government and Public Administration Real Estate and Property Management Tourism and Hospitality Healthcare and Medical Services Retail and E-commerce Education and Universities Local Municipalities

🎯 MITRE ATT&CK Techniques

T1110 - Brute Force (map ID enumeration) T1526 - Reconnaissance (sensitive data gathering) T1087 - Account Discovery (user-owned map enumeration) T1078 - Valid Accounts (privilege escalation via contributor access) T1530 - Data from Cloud Storage (unauthorized map data access) T1213 - Data from Information Repositories (WordPress content access)

⚖️ Saudi Risk Score (AI)

6.8

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Disable the MapPress Maps plugin immediately until a patch is available: wp-cli plugin deactivate mappress-google-maps-for-wordpress

2. If the plugin is critical, restrict REST API access to authenticated users only via .htaccess or web application firewall rules

3. Audit all maps created in the past 90 days to identify sensitive data exposure

4. Review REST API access logs for suspicious enumeration patterns (sequential map ID requests)

COMPENSATING CONTROLS:

1. Implement REST API authentication requirement: Add filter to require authentication for all /wp-json/mapp/v1/ endpoints

2. Apply capability restrictions: Modify plugin code to verify map ownership before any read/write operation

3. Disable REST API for this plugin: Add to wp-config.php: define('REST_API_ENABLED', false) for mapp routes

4. Use Web Application Firewall (WAF) rules to block sequential map ID enumeration attempts

5. Implement rate limiting on REST API endpoints

DETECTION RULES:

1. Monitor WordPress logs for: GET /wp-json/mapp/v1/maps/ requests from unauthenticated users

2. Alert on: POST/DELETE/PATCH requests to /wp-json/mapp/v1/maps/ from users without map ownership

3. Flag: Rapid sequential requests to /wp-json/mapp/v1/maps/{1,2,3,4...} indicating enumeration

4. Track: Unusual modification timestamps on maps by non-owner accounts

PATCHING GUIDANCE:

1. Monitor MapPress plugin repository for security update (currently no patch available)

2. Subscribe to WordPress security mailing list for CVE-2026-8839 patch notification

3. When patch is released, test in staging environment before production deployment

4. Plan immediate update deployment with rollback procedure

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. قم بتعطيل مكون MapPress Maps فوراً حتى يتوفر تصحيح: wp-cli plugin deactivate mappress-google-maps-for-wordpress

2. إذا كان المكون حرجاً، قم بتقييد وصول REST API للمستخدمين المصرحين فقط عبر .htaccess أو قواعد جدار الحماية

3. قم بمراجعة جميع الخرائط التي تم إنشاؤها في آخر 90 يوماً لتحديد تسرب البيانات الحساسة

4. راجع سجلات وصول REST API للبحث عن أنماط تعداد مريبة (طلبات معرف الخريطة المتسلسلة)

عناصر التحكم التعويضية:

1. تنفيذ متطلبات المصادقة لـ REST API: أضف مرشح لمطالبة المصادقة لجميع نقاط نهاية /wp-json/mapp/v1/

2. تطبيق قيود القدرات: عدّل كود المكون للتحقق من ملكية الخريطة قبل أي عملية قراءة/كتابة

3. تعطيل REST API للمكون: أضف إلى wp-config.php: define('REST_API_ENABLED', false) لمسارات mapp

4. استخدم قواعد جدار حماية تطبيقات الويب (WAF) لحظر محاولات تعداد معرف الخريطة المتسلسلة

5. تنفيذ تحديد معدل على نقاط نهاية REST API

قواعد الكشف:

1. مراقبة سجلات WordPress للبحث عن: طلبات GET /wp-json/mapp/v1/maps/ من مستخدمين غير مصرحين

2. تنبيه عند: طلبات POST/DELETE/PATCH إلى /wp-json/mapp/v1/maps/ من مستخدمين بدون ملكية الخريطة

3. وضع علم على: طلبات متسلسلة سريعة إلى /wp-json/mapp/v1/maps/{1,2,3,4...} تشير إلى التعداد

4. تتبع: طوابع زمنية تعديل غير عادية على الخرائط بواسطة حسابات غير المالك

إرشادات التصحيح:

1. مراقبة مستودع مكون MapPress للحصول على تحديث أمان (لا يوجد تصحيح متاح حالياً)

2. الاشتراك في قائمة بريد أمان WordPress للحصول على إشعار تصحيح CVE-2026-8839

3. عند إصدار التصحيح، اختبره في بيئة التدريج قبل نشره في الإنتاج

4. خطط لنشر التحديث الفوري مع إجراء التراجع

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.5.1.1 - Information Security Policies and Procedures (access control policy) A.6.1.2 - User Access Management (user access rights verification) A.7.1.1 - Cryptography and Access Control (authorization mechanisms) A.8.2.1 - Asset Management (protection of information assets)

🔵 SAMA CSF

AC-2: Account Management (user access verification) AC-3: Access Enforcement (authorization controls) AC-6: Least Privilege (role-based access restrictions) SI-4: Information System Monitoring (detection of unauthorized access)

🟡 ISO 27001:2022

A.5.1.1 - Information security policies A.6.1.2 - User registration and de-registration A.6.2.1 - User access provisioning A.8.2.1 - Classification of information A.9.1.1 - Access control policy A.9.2.1 - User registration and access rights

🟣 PCI DSS v4.0.1

Requirement 6.5.10 - Broken access control Requirement 7.1 - Limit access to system components Requirement 7.2 - Ensure proper user access management

🔗 References & Sources 24

🔗

https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95...

CVE-2026-8839

Introduce Yourself