Remote Code Execution Vulnerability in Mappress Google Maps Plugin for WordPress
CVE-2020-12675

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Mappress
Vendor: CVE Published:; 29 May 2020

Summary

The Mappress Google Maps Plugin for WordPress, prior to version 2.54.6, is susceptible to a remote code execution vulnerability due to improper capability checks for AJAX functions involved in the creation, retrieval, and deletion of PHP template files. This flaw allows attackers to potentially execute arbitrary code on the server, posing significant risks. The issue arose from an incomplete fix associated with a previous vulnerability, indicating a persistent threat if not addressed.

References

https://wordpress.org/plugins/mappress-google-maps-for-wo...

x_refsource_MISC

https://blog.alertlogic.com/alert-logic-threat-research-t...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 29, 2020
Vulnerability Reserved
May 6, 2020