CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6524 – MapPress Maps for WordPress <= 2.88.13 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-6524
02 Jan 2024 — The MapPress Maps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the map title parameter in all versions up to and including 2.88.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. MapPress Maps for WordPress plugin for WordPress es vulnerable a cross site scripting almacenad... • https://advisory.abay.sh/cve-2023-6524 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0537 – MapPress Maps for WordPress < 2.73.13 - Admin+ File Upload to Remote Code Execution
https://notcve.org/view.php?id=CVE-2022-0537
14 Mar 2022 — The MapPress Maps for WordPress plugin before 2.73.13 allows a high privileged user to bypass the DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS settings and upload arbitrary files to the site through the "ajax_save" function. The file is written relative to the current 's stylesheet directory, and a .php file extension is added. No validation is performed on the content of the file, triggering an RCE vulnerability by uploading a web shell. Further the name parameter is not sanitized, allowing the payload to be ... • https://wpscan.com/vulnerability/abfbba70-5158-4990-98e5-f302361db367 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 4%CPEs: 1EXPL: 1CVE-2022-0208 – MapPress Maps for WordPress < 2.73.4 - Reflected Cross-Site scripting
https://notcve.org/view.php?id=CVE-2022-0208
17 Jan 2022 — The MapPress Maps for WordPress plugin before 2.73.4 does not sanitise and escape the mapid parameter before outputting it back in the "Bad mapid" error message, leading to a Reflected Cross-Site Scripting El plugin MapPress Maps para WordPress versiones anteriores a 2.73.4, no sanea y escapa del parámetro mapid antes de devolverlo en el mensaje de error "Bad mapid", conllevando a un problema de tipo Cross-Site Scripting Reflejado • https://wpscan.com/vulnerability/59a2abd0-4aee-47aa-ad3a-865f624fa0fc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 9%CPEs: 1EXPL: 0CVE-2020-12675 – MapPress Maps <= 2.54.5 - Remote Code Execution via Improper Capability Checks in AJAX Calls
https://notcve.org/view.php?id=CVE-2020-12675
28 May 2020 — The mappress-google-maps-for-wordpress plugin before 2.54.6 for WordPress does not correctly implement capability checks for AJAX functions related to creation/retrieval/deletion of PHP template files, leading to Remote Code Execution. NOTE: this issue exists because of an incomplete fix for CVE-2020-12077. El plugin mappress-google-maps-for-wordpress versiones anteriores a 2.54.6 para WordPress, no implementa correctamente las comprobaciones de capacidad para las funcionalidades AJAX relacionadas con la cr... • https://blog.alertlogic.com/alert-logic-threat-research-team-identifies-new-vulnerability-cve-2020-12675-in-mappress-plugin-for-wordpress • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 58%CPEs: 1EXPL: 2CVE-2020-12077 – MapPress Maps for WordPress <=2.53.8 - Authenticated Map Creation/Deletion to Stored Cross-Site Scripting & Remote Code Execution
https://notcve.org/view.php?id=CVE-2020-12077
01 Apr 2020 — The mappress-google-maps-for-wordpress plugin before 2.53.9 for WordPress does not correctly implement AJAX functions with nonces (or capability checks), leading to remote code execution. El plugin mappress-google-maps-for-wordpress en versiones anteriores a la 2.53.9 para Wordpress no implementa correctamente las funciones AJAX con nonces (o controles de capacidad), lo que conduce a la ejecución de código remoto. • https://github.com/RandomRobbieBF/CVE-2020-12077 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-434: Unrestricted Upload of File with Dangerous Type •