Critical Vulnerability Found In MapPress Maps WordPress Plugin

Heads up WordPress admins! Another WordPress plugin is found to have a serious vulnerability affecting thousands of websites. This time, the vulnerability has appeared in the MapPress Maps plugin for WordPress.

MapPress Maps WordPress Plugin

Researchers from Alert Logic have found a serious vulnerability in the MapPress Maps plugin for WordPress. The plugin presently boasts over 80,000 installations. Hence, the vulnerability also has put these thousands of sites at risk.

Disclosing the details in a blog post, the researchers stated that they found a privilege escalation bug in the plugin. Upon exploitation, the vulnerability could allow an attacker to meddle with PHP files and even execute codes remotely.

As stated in the post,

This vulnerability enables an attacker with subscriber privileges to download or delete arbitrary PHP files or upload arbitrary malicious PHP files to vulnerable sites, which could result in remote command execution.

The vulnerability has also received a CVE number CVE-2020-12675.

Though, the researchers have presently not shared the precise technicalities about the bug. Yet, according to the vulnerability description given by the Nation Vulnerability Database (NVD), the bug existed because of incorrect implementation of capability check for AJAX functions related to the creation, deletion, or retrieval of PHP files.

Patch Rolled Out

After discovering the bug, Alert Logic reached out to the developers to inform them of the flaw. Following the report, the developers patched the bug with the release of the plugin version 2.54.6.

Hence, users of MapPress Maps WordPress plugin should ensure updating their websites with the latest plugin version 2.54.6.

Presently, the researchers have not shared any further details about the bug, yet they have urged the users to update. Whereas, they have planned to share further details in the coming weeks.

The present report simply adds a plus one to the trail of vulnerable WordPress plugins that we have reported this month.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients