CVE-2024-0421 is a medium-severity vulnerability affecting the MapPress Maps for WordPress plugin versions prior to 2.88.16. The vulnerability is classified as an Insecure Direct Object Reference (IDOR), specifically CWE-639, which arises due to improper authorization checks when retrieving posts via an AJAX action. The plugin fails to verify that the requested posts are public maps, allowing unauthenticated attackers to access arbitrary private and draft posts. This means that an attacker can craft requests to the plugin's AJAX endpoint to read content that should be restricted, bypassing intended access controls. The vulnerability does not require any user authentication or interaction, and can be exploited remotely over the network (AV:N), with low attack complexity (AC:L). The impact is limited to confidentiality as the attacker can read private data, but there is no impact on integrity or availability. The CVSS v3.1 base score is 5.3, reflecting a medium severity level. No known exploits are currently reported in the wild, and no patches are linked in the provided data, though the fixed version is 2.88.16 or later. The vulnerability is significant for websites using MapPress Maps to manage private or draft map posts, as sensitive or unpublished information could be exposed to unauthorized parties.

For European organizations, especially those using WordPress with the MapPress Maps plugin to manage sensitive geospatial or location-based content, this vulnerability poses a confidentiality risk. Private or draft map posts could contain sensitive business information, internal project data, or personal data protected under GDPR. Unauthorized disclosure could lead to reputational damage, regulatory penalties, and loss of competitive advantage. Organizations in sectors such as government, urban planning, logistics, real estate, and tourism that rely on private map data are particularly at risk. Since exploitation requires no authentication and can be performed remotely, attackers can easily scan for vulnerable sites and extract private content. Although the vulnerability does not affect data integrity or availability, the exposure of confidential information alone can have serious consequences under European data protection laws.

European organizations should immediately verify their use of the MapPress Maps plugin and the installed version. If running a version prior to 2.88.16, they should upgrade to the latest patched version as soon as it becomes available. In the absence of an official patch, organizations can implement temporary mitigations such as restricting access to the AJAX endpoints via web application firewall (WAF) rules or server-level access controls to only trusted IP addresses. Additionally, auditing and reviewing private and draft map posts for sensitive content is recommended to assess potential exposure. Monitoring web server logs for unusual AJAX requests targeting the plugin endpoints can help detect exploitation attempts. Organizations should also ensure that their WordPress installations and plugins are regularly updated and that security best practices, such as least privilege and network segmentation, are enforced to limit the impact of such vulnerabilities.