CVE-2026-8839: CWE-639 Authorization Bypass Through User-Controlled Key in chrisvrichardson MapPress Maps for WordPress
MapPress Maps for WordPress plugin versions up to 2. 96. 6 suffer from an authorization bypass vulnerability due to missing ownership verification in its REST API endpoints. Unauthenticated users can read sensitive map data by enumerating map IDs, while authenticated users with Contributor-level access or higher can modify or delete any map regardless of ownership. The vulnerability arises because permission checks either allow all requests or only verify generic edit permissions without confirming map ownership. No official patch or remediation guidance is currently available.
AI Analysis
Technical Summary
CVE-2026-8839 is an authorization bypass vulnerability in the MapPress Maps for WordPress plugin affecting all versions up to 2.96.6. The REST API routes registered via Mappress_Api::rest_api_init() lack proper ownership verification. The GET endpoint for retrieving maps uses a permission callback that always returns true, allowing unauthenticated access to map data. Write operations (POST update, DELETE, PATCH mutate, POST clone, POST empty_trash) only check for the generic edit_posts capability but do not verify if the requester owns the map resource. The underlying model methods operate on any caller-supplied map ID without ownership checks, enabling unauthorized read and write access to map data.
Potential Impact
Unauthenticated attackers can access sensitive map information such as points of interest titles, addresses, coordinates, and content by enumerating map IDs. Authenticated users with Contributor-level permissions or higher can modify, delete, trash, restore, or clone any map regardless of ownership, potentially leading to unauthorized data manipulation. There is no indication of availability impact or privilege escalation beyond these capabilities.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the REST API endpoints related to MapPress Maps or limit Contributor-level user permissions to trusted users only. Monitor for updates from the vendor or plugin maintainer to apply an official fix once released.
CVE-2026-8839: CWE-639 Authorization Bypass Through User-Controlled Key in chrisvrichardson MapPress Maps for WordPress
Description
MapPress Maps for WordPress plugin versions up to 2. 96. 6 suffer from an authorization bypass vulnerability due to missing ownership verification in its REST API endpoints. Unauthenticated users can read sensitive map data by enumerating map IDs, while authenticated users with Contributor-level access or higher can modify or delete any map regardless of ownership. The vulnerability arises because permission checks either allow all requests or only verify generic edit permissions without confirming map ownership. No official patch or remediation guidance is currently available.
CVSS v3.1
Score 5.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-8839 is an authorization bypass vulnerability in the MapPress Maps for WordPress plugin affecting all versions up to 2.96.6. The REST API routes registered via Mappress_Api::rest_api_init() lack proper ownership verification. The GET endpoint for retrieving maps uses a permission callback that always returns true, allowing unauthenticated access to map data. Write operations (POST update, DELETE, PATCH mutate, POST clone, POST empty_trash) only check for the generic edit_posts capability but do not verify if the requester owns the map resource. The underlying model methods operate on any caller-supplied map ID without ownership checks, enabling unauthorized read and write access to map data.
Potential Impact
Unauthenticated attackers can access sensitive map information such as points of interest titles, addresses, coordinates, and content by enumerating map IDs. Authenticated users with Contributor-level permissions or higher can modify, delete, trash, restore, or clone any map regardless of ownership, potentially leading to unauthorized data manipulation. There is no indication of availability impact or privilege escalation beyond these capabilities.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the REST API endpoints related to MapPress Maps or limit Contributor-level user permissions to trusted users only. Monitor for updates from the vendor or plugin maintainer to apply an official fix once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-05-18T15:18:31.311Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a23a6aae29bf47b50153415
Added to database: 6/6/2026, 4:48:42 AM
Last enriched: 6/6/2026, 5:03:49 AM
Last updated: 6/6/2026, 5:50:51 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.