CVE-2024-0421: Security Vulnerability in MapPress Maps for WordPress Plugin – Unauthenticated Access to Private and Draft Posts

A security vulnerability has been discovered in the popular MapPress Maps for WordPress plugin (versions before 2.88.16). Dubbed CVE-2024-0421, it allows unauthenticated users to read and access arbitrary private and draft posts via an AJAX action. This post aims to explain the vulnerability in simple terms, provide code snippets, and link to original references, along with details about the potential exploit.

About MapPress Maps for WordPress

The MapPress Maps for WordPress plugin enables users to create customized Google maps and markers for their WordPress sites. It has been a popular choice among WordPress developers with significant numbers of active installations. However, the discovery of this security vulnerability highlights the importance of continuously updating your plugins and taking necessary precautions to ensure the safety of your WordPress website.

Vulnerability and Exploit Details

The crux of the issue lies in that the plugin does not ensure that the posts being retrieved via an AJAX action are public maps. Therefore, unauthenticated users can potentially read arbitrary private and draft posts.

The vulnerability is present in the "mappress_query()" function within the "mappress.php" file of the plugin. The function uses the "wp_ajax_nopriv_mappress_query" action to handle AJAX requests. However, it does not properly validate if the accessed post is publicly available.

Code Snippet

function mappress_query() {
    global $wpdb;

    $postids = (isset($_REQUEST['postids']) && !empty($_REQUEST['postids'])) ? explode(',', $_REQUEST['postids']) : '';

    if (empty($postids))
        die();

    // Get the maps
    $maps = Mappress_Map::get_post_maps($postids);

    echo json_encode($maps);
    die();
}
add_action('wp_ajax_nopriv_mappress_query', 'mappress_query');

The above code demonstrates that the "mappress_query()" function receives a list of post IDs through the "postids" GET parameter. It then proceeds to retrieve the maps associated with these post IDs without verifying the post types, making it possible for a bad actor to access sensitive information.

A sample request to exploit the vulnerability would look like the following

https://example.com/wp-admin/admin-ajax.php?action=mappress_query&postids=10,11,12

By sending the above request, an attacker could view private and draft posts with the specified IDs (10, 11, 12) in the response.

Solution and Recommendations

The developers have patched this vulnerability in version 2.88.16 of the MapPress Maps for WordPress plugin. Updating the plugin to the latest version will secure your website against this unauthenticated information disclosure vulnerability. It is highly recommended to always keep your WordPress plugins up to date and intensify security measures on your site.

Original References

1. CVE-2024-0421 - MITRE's CVE page for this vulnerability.
2. MapPress Maps for WordPress Plugin - The plugin's official WordPress.org page.

Conclusion

Understanding potential security vulnerabilities in widely-used plugins like MapPress Maps for WordPress is crucial for keeping your website secure. It not only allows you to take immediate action to patch the vulnerability but also encourages better security practices for building and maintaining a robust WordPress site.

Timeline

Published on: 02/12/2024 16:15:08 UTC
Last modified on: 02/12/2024 17:31:21 UTC