MEDIUM
chrisvrichardson
CVE published 2026-06-06
CVE-2026-8839
The MapPress Maps for WordPress plugin, up to and including version 2.96.6, is vulnerable to Authorization Bypass Through User-Controlled Key. This vulnerability is due to missing ownership verification in the REST API routes registered via `Mappress_Api::rest_api_init()`. Specifically, the GET `/wp-json/mapp/v1/maps/{mapid}` endpoint uses `'permission_callback' => '__return_true'`, allowing unauthenticat [truncated]