CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0208 – MapPress Maps for WordPress < 2.73.4 - Reflected Cross-Site scripting
https://notcve.org/view.php?id=CVE-2022-0208
The MapPress Maps for WordPress plugin before 2.73.4 does not sanitise and escape the mapid parameter before outputting it back in the "Bad mapid" error message, leading to a Reflected Cross-Site Scripting El plugin MapPress Maps para WordPress versiones anteriores a 2.73.4, no sanea y escapa del parámetro mapid antes de devolverlo en el mensaje de error "Bad mapid", conllevando a un problema de tipo Cross-Site Scripting Reflejado • https://wpscan.com/vulnerability/59a2abd0-4aee-47aa-ad3a-865f624fa0fc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-12675 – MapPress Maps <= 2.54.5 - Remote Code Execution via Improper Capability Checks in AJAX Calls
https://notcve.org/view.php?id=CVE-2020-12675
The mappress-google-maps-for-wordpress plugin before 2.54.6 for WordPress does not correctly implement capability checks for AJAX functions related to creation/retrieval/deletion of PHP template files, leading to Remote Code Execution. NOTE: this issue exists because of an incomplete fix for CVE-2020-12077. El plugin mappress-google-maps-for-wordpress versiones anteriores a 2.54.6 para WordPress, no implementa correctamente las comprobaciones de capacidad para las funcionalidades AJAX relacionadas con la creación/recuperación/eliminación de archivos de plantillas PHP, conllevando a una Ejecución de Código Remota. NOTA: este problema se presenta debido a una corrección incompleta para CVE-2020-12077. • https://blog.alertlogic.com/alert-logic-threat-research-team-identifies-new-vulnerability-cve-2020-12675-in-mappress-plugin-for-wordpress https://wordpress.org/plugins/mappress-google-maps-for-wordpress/#developers • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2020-12077 – MapPress Maps for WordPress <=2.53.8 - Authenticated Map Creation/Deletion to Stored Cross-Site Scripting & Remote Code Execution
https://notcve.org/view.php?id=CVE-2020-12077
The mappress-google-maps-for-wordpress plugin before 2.53.9 for WordPress does not correctly implement AJAX functions with nonces (or capability checks), leading to remote code execution. El plugin mappress-google-maps-for-wordpress en versiones anteriores a la 2.53.9 para Wordpress no implementa correctamente las funciones AJAX con nonces (o controles de capacidad), lo que conduce a la ejecución de código remoto. • https://github.com/RandomRobbieBF/CVE-2020-12077 https://wordpress.org/plugins/mappress-google-maps-for-wordpress/#developers https://www.wordfence.com/blog/2020/04/critical-vulnerabilities-patched-in-mappress-maps-plugin • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-434: Unrestricted Upload of File with Dangerous Type •