WordPress · Mappress Maps · CVE-2026-8839
**Name of the Vulnerable Software and Affected Versions**
MapPress Maps for WordPress versions prior to 2.96.7
**Description**
An authorization bypass exists due to missing ownership verification in REST API routes registered via the `Mappress Api::rest api init()` function. The GET '/wp-json/mapp/v1/maps/{mapid}' endpoint uses a permission callback that returns true, allowing unauthenticated attackers to read sensitive map data, such as POI titles, addresses, coordinates, and body content, by enumerating the `mapid` variable. Additionally, write endpoints (POST update, DELETE, PATCH mutate, POST clone, and POST empty trash) only verify the generic `edit posts` capability without confirming if the requester owns the targeted map. This lack of verification is also present in the model layer functions `Mappress Map::get()`, `save()`, `delete()`, `mutate()`, and `empty trash()`, which operate on any supplied map ID. Consequently, authenticated attackers with Contributor-level access or higher can modify, delete, trash, restore, or clone any map regardless of the author.
**Recommendations**
Update the plugin to a version later than 2.96.6.