CVE-2026-8839 Overview
CVE-2026-8839 is an Authorization Bypass Through User-Controlled Key vulnerability [CWE-639] affecting the MapPress Maps for WordPress plugin in all versions up to and including 2.96.6. The flaw resides in REST API routes registered through Mappress_Api::rest_api_init(), which fail to verify that the requester owns the targeted map. The read endpoint at /wp-json/mapp/v1/maps/{mapid} uses 'permission_callback' => '__return_true', exposing map data to unauthenticated callers. Write endpoints check only the generic edit_posts capability, allowing any Contributor or above to modify resources belonging to other users.
Critical Impact
Unauthenticated attackers can read sensitive map data including POI titles, addresses, coordinates, and body content by enumerating map IDs across the site.
Affected Products
- MapPress Maps for WordPress plugin — all versions up to and including 2.96.6
- WordPress sites running the vulnerable plugin with publicly reachable REST API
- Fixed in MapPress Maps for WordPress version 2.97.1
Discovery Timeline
- 2026-06-06 - CVE-2026-8839 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-8839
Vulnerability Analysis
The MapPress plugin registers multiple REST API routes that operate on map objects identified by a caller-supplied mapid parameter. The GET route for retrieving individual maps applies 'permission_callback' => '__return_true', which approves every request regardless of authentication state. As a result, anonymous attackers can iterate map IDs and harvest the full content of each map, including point-of-interest titles, street addresses, latitude/longitude coordinates, and body text.
The write-side routes — POST update, DELETE, PATCH mutate, POST clone, and POST empty_trash — gate access behind the edit_posts capability. This capability is granted to the Contributor role and above. Because the routes never compare the map's author to the current user, any Contributor can alter, delete, trash, restore, or clone maps owned by Editors and Administrators.
Root Cause
The authorization gap is not compensated at the model layer. The methods Mappress_Map::get(), save(), delete(), mutate(), and empty_trash() accept any caller-supplied map ID and perform their operation without an ownership check. This violates the principle of complete mediation for object-level access decisions and is the textbook pattern described by CWE-639: Authorization Bypass Through User-Controlled Key.
Attack Vector
Exploitation occurs over the network against the WordPress REST API. An unauthenticated attacker enumerates /wp-json/mapp/v1/maps/{mapid} with sequential integer IDs to extract map data. An authenticated attacker holding Contributor credentials sends crafted POST, PATCH, or DELETE requests to the corresponding endpoints with a victim's mapid to tamper with or destroy resources. No user interaction is required. See the Wordfence Vulnerability Report and the WordPress Plugin Source Code for the vulnerable handlers.
Detection Methods for CVE-2026-8839
Indicators of Compromise
- Unauthenticated HTTP GET requests to /wp-json/mapp/v1/maps/ with sequential or fuzzed numeric map IDs from a single source
- POST, PATCH, or DELETE requests to /wp-json/mapp/v1/maps/* originating from Contributor-level accounts targeting maps authored by other users
- Spikes in WordPress REST API traffic to routes registered by Mappress_Api::rest_api_init()
- Unexpected modifications, deletions, or trash/restore events on map post objects in the WordPress database
Detection Strategies
- Inspect web server access logs for high-volume enumeration of /wp-json/mapp/v1/maps/{id} patterns from unauthenticated clients
- Correlate WordPress audit logs with REST API events to flag Contributor accounts performing write operations on map IDs they do not own
- Alert on bursts of 4xx/2xx responses against the MapPress REST namespace consistent with ID-guessing behavior
Monitoring Recommendations
- Enable WordPress audit logging with a plugin that captures REST API actor, route, and target object IDs
- Forward web access logs and WordPress audit logs to a centralized SIEM for correlation and long-term retention
- Track changes to wp_posts rows where post_type corresponds to MapPress maps and review unexpected post_author mismatches
How to Mitigate CVE-2026-8839
Immediate Actions Required
- Upgrade MapPress Maps for WordPress to version 2.97.1 or later on every WordPress site
- Audit Contributor and Author accounts for unexpected activity against MapPress endpoints and rotate credentials where abuse is suspected
- Review existing maps for unauthorized edits, deletions, or clones and restore from backup as needed
Patch Information
The vendor remediated the issue in MapPress Maps for WordPress 2.97.1. The fix is documented in the WordPress Plugin Change Log, which introduces proper ownership verification on the affected REST API routes and model methods.
Workarounds
- Restrict access to the /wp-json/mapp/v1/ namespace at the web server or WAF layer for unauthenticated clients until the plugin is updated
- Temporarily deactivate the MapPress plugin if upgrading is not immediately feasible
- Limit the number of accounts holding the Contributor role and above, and review role assignments for least privilege
# Example nginx rule to block unauthenticated access to MapPress REST routes
location ~ ^/wp-json/mapp/v1/maps/ {
if ($http_cookie !~* "wordpress_logged_in_") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
