PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8839 chrisvrichardson CVE debrief

The MapPress Maps for WordPress plugin, up to and including version 2.96.6, is vulnerable to Authorization Bypass Through User-Controlled Key. This vulnerability is due to missing ownership verification in the REST API routes registered via `Mappress_Api::rest_api_init()`. Specifically, the GET `/wp-json/mapp/v1/maps/{mapid}` endpoint uses `'permission_callback' => '__return_true'`, allowing unauthenticated access, while write endpoints (POST update, DELETE, PATCH mutate, POST clone, POST empty_trash) only check the generic `edit_posts` capability without confirming the requester owns the targeted map. This gap is not compensated at the model layer, as `Mappress_Map::get()`, `save()`, `delete()`, `mutate()`, and `empty_trash()` operate on any caller-supplied map ID without an ownership check.

Vendor
chrisvrichardson
Product
MapPress Maps for WordPress
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-06
Original CVE updated
2026-06-08
Advisory published
2026-06-06
Advisory updated
2026-06-08

Who should care

Users of the MapPress Maps for WordPress plugin, particularly those with sensitive map data, should be aware of this vulnerability. Unauthenticated attackers can read sensitive map data, including POI titles, addresses, coordinates, and body content, by enumerating map IDs. Authenticated attackers with Contributor-level access and above can modify, delete, trash/restore, or clone any map regardless of its author.

Technical summary

The vulnerability exists in the MapPress Maps for WordPress plugin, versions up to and including 2.96.6. The REST API routes lack proper ownership verification, allowing for unauthorized access and manipulation of map data.

Defensive priority

MEDIUM

Recommended defensive actions

  • Update to a patched version of the MapPress Maps for WordPress plugin.
  • Restrict access to sensitive map data.
  • Monitor for suspicious activity on your WordPress site.

Evidence notes

Evidence for this CVE comes from the National Vulnerability Database (NVD) and Wordfence security research.

Official resources

CVE-2026-8839 was published on 2026-06-06T05:16:29.510Z and modified on 2026-06-08T14:57:14.757Z.