Headline

CVE-2020-12077: MapPress Maps for WordPress

The mappress-google-maps-for-wordpress plugin before 2.53.9 for WordPress does not correctly implement AJAX functions with nonces (or capability checks), leading to remote code execution.

4 years ago

CVE

Open in Source

#sql #web #android #google #js #git #java #wordpress #php #rce #perl #auth #firefox

Details
Reviews
Installation
Development

MapPress is the easiest way to add beautiful interactive Google and Leaflet maps to WordPress.

Create unlimited maps and markers using Gutenberg blocks or the classic editor. The popup map editor makes creating and editing maps easy!

Upgrade to MapPress Pro for even more features, including custom icons, search and filter, clustering, and much more. See it in action on the MapPress Home Page or test it yourself with a Free Demo Site!

Home Page
What’s New
Documentation
FAQ
Support

Upgrade

Deactivate your old MapPress version
Delete your old MapPress version (don’t worry, the maps are saved in the database)
Follow the installation instructions to install the new version

This plugin provides 2 blocks.

MapPress Map
MapPress Maps for WordPress

This plugin’s free version provides what other map plugins are charging for. I love the backend user interface. I went with the Google API just because that’s what I’m familiar with. My client wants to emphasize shipping destinations at points in the USA and around the world. And we needed a responsive map. Check. I’m very happy with this plugin. It works well with BeaverBuilder (but you need to use the Shortcode to embed a map…no big deal) alongside GravityForms. No conflicts, very stable, and so easy to use my clients can update the maps themselves with just a little orientation. Great job!

A great easy to use plugin

I’m still testing/designing the site but so far it’s exactly what I wanted.

Great plugin, very flexible and easy to use. It can give a “Obsolete jQuery version” error but usually you can just go into inspector and delete the error, and then you can edit the map anyway.

I have been using MapPress Maps for WordPress for years and it has made a tremendous difference on my website. People often say the best feature of the website is the maps! Whenever I have a question or issue, the developer is right there to help out. It is definitely the best plugin I have!

My first choice map and geo plugin. Support is developer level and really helpful with a production site.

Read all 139 reviews

“MapPress Maps for WordPress” is open source software. The following people have contributed to this plugin.

Contributors

chrisvrichardson

2.84.21

Changed: update version compatibility
Changed: add alt tags to template icons

2.84.20

Fixed: sanitize map name in iframes

2.84.19

Fixed: geolocate parameter not passed through from shortcode

2.84.18

Fixed: unable to save settings when sizes are numeric

2.84.17

Fixed: mashup query bug in 2.84.16

2.84.16

Added: German translation
Changed: internal changes to settings screen
Fixed: directions not working for lat/lng POIs

2.84.15

Added: support for hyphenated poi.props variables
Changed: parse shortcodes in poi body (frontend only)
Changed: fix for WP async image bug is now applied only for WP version < 6.1.1
Fixed: directions tab blocked by popup blocker

2.84.14

Fixed: directions not rendering properly when POI list is disabled
Fixed: popup not always centering when canvas is resized
Fixed: directions CSS made form too small

2.84.13

Fixed: temporary fix for WordPress 6.1 async image issue: https://core.trac.wordpress.org/ticket/56969. Fix prevents modifying image URLs.

2.84.12

Fixed: readme changelog not showing current version
Fixed: script error when using Complianz + Leaflet + marker clustering

2.84.11

Fixed: for GDPR, default “red-dot” icon now loaded from plugin directory
Changed: added partial pl_PL translation

2.84.10

Fixed: POI hover effect not triggering if POI isn’t opened on hover

2.84.9

Added: local leaflet libraries for GDPR
Changed: removed obsolete translation files

2.84.8

Fixed: complianz not working

2.84.7

Fixed: patch in 2.84.6 caused geocoding to fail when adding markers and opening popups
Fixed: JavaScript not executing inside popup templates

2.84.6

Fixed: error when manually centering some maps, in toJSON() method

2.84.5

Fixed: translations loading from plugin directory

2.84.4

Added: maps GDPR compliance using the ‘Complianz’ plugin
Changed: renamed ‘iframes’ setting to ‘compatibility mode’
Changed: iframes forced when Jetpack infinite scroll active
Fixed: mashup query not filtering POIs when run in iframe

2.84.3

Added: new Google marker clusterer (https://github.com/googlemaps/js-markerclusterer)
Added: setting to geolocate on user when map is first displayed
Changed: better initial centering when poiZoom is set
Changed: updates to welcome guide and deactvation menu
Fixed: KML files not centering when added in editor
Fixed: KML error when using Leaflet
Fixed: initial centering when geolocating and browser geolocation is disabled

2.84.2

Fixed: map sizing incorrectly when using inline list in iframe

2.84.1

Added: Google AMP compatibility
Added: better help text for the “poiZoom” setting
Changed: revert iframes to template_redirect
Changed: removed CSS centering for popup texts
Fixed: templates and scripts loaded on the main page when iframes active

2.84

Added: new map editor
Fixed: Google sheet upload error
Fixed: map styles search not working if enter key pressed

2.83.23

Fixed: database upgrade running for new installs
Fixed: option setting to initially close sidebar is ignored

2.83.22

Changed: allow popup to size larger when thumbnails are set to top, but no image is present
Fixed: missing scrollbars when popup content is large
Fixed: warning if default size selected in settings is invalid

2.83.21

Fixed: typo in setting ‘showCoverageOnHover’

2.83.20

Fixed: SVN publish

2.83.19

Fixed: remove generated iframe from build

2.83.18

Changed: enabled ‘check now’ button even when license is active

2.83.17

Fixed: mini map class not being applied to small maps
Fixed: other plugins break iframes by adding ‘defer’ to script tags

2.83.16

Changed: prevent WP from overwriting Pro with free version

2.83.15

Fixed: setting initialopeninfo with no map POIs causes JS error

2.83.14

Fixed: console warnings in Google marker clusterer from deprecated google.maps.addDomEventListener
Fixed: iframe not resizing when height is ‘vh’

2.83.13

Added: setting to allow mashup thumbnail images to come from either post or POI (mashupThumbs)
Added: fast iframes, and iframes that resize to inline (bottom) POI list layout
Changed: popups opened by marker hover now close after a short delay when mouse is moved away
Fixed: POI list not scrolling to top on page change

2.83.12

Changed: Google now returns viewport for street addresses, so poiZoom (default zoom) setting applies even if viewport is present
Fixed: map loses attachment if attached and then immediately edited

2.83.11

Fixed: syntax error in API for old versions of PHP

2.83.10

Changed: map minimum width changed from 250 to 200px
Changed: template editor split to separate module
Changed: post attachment control updated
Changed: REST API code added
Fixed: hideEmpty mashup parameter not compatible with new query functions

2.83.9

Changed: importer updated to allow upper-case column names
Changed: updated authors in mashup block to reflect new core data
Fixed: focus incorrect when creating new map and selecting title
Fixed: map not linked to post when creating new post
Fixed: refresh query button not working in mashup block

2.83.8

Fixed: mashup block shortcode viewer removed
Fixed: importer sample map selecting all POIs at once

2.83.7

Fixed: republish 2.83.6 changes

2.83.6

Fixed: map iframe interfering with theme customizer

2.83.5

Changed: workaround for other plugins loading obsolete versions of wp.element
Fixed: clicking on mashup thumbnail image not opening underlying post

2.83.4

Fixed: updated German translation
Fixed: double markers showing when using multiple maps with Leaflet clustering

2.83.3

Fixed: POI list pagination incorrect

2.83.2

Fixed: drag and drop error with Leaflet polyfill

2.83.1

Fixed: error from Leaflet json polyfill when theme overwrites Leaflet

2.83

Added: setting to disable Leaflet cluster outline polygons
Changed: editor maps switched to react
Fixed: directions not working for POIs with no address

2.82.4

Fixed: directions link not working

2.82.3

Fixed: markers shown outside clusters on initial load
Fixed: editor marker drag/drop not working

2.82.2

Fixed: zooming in and out on Google clusters could result in ‘null’ marker
Fixed: revert auto-sizing iframes; not compatible with viewport (‘vh’) sizing

2.82.1

Fixed: maps sized wrong when using sizes without units

2.82

Changed: frontend loader and rendering switched to react components
Changed: iframes resize to content

2.81.2

Changed: convert import/settings to react map

2.81.1

Fixed: url query parameter removed, some sites throw 403 error

2.81

Fixed: POI list showing extra POI beyond page size
Fixed: Map editor page size should not be controlled by front-end settings
Changed: begin React code transition for admin

2.80.11

Fixed: innodb utf8mb4 index on map title limited to 191 characters

2.80.10

Fixed: sorting not working in map list
Fixed: save button not disabled during map save
Fixed: trashed maps included in mashups

2.80.9

Fixed: array not initialized for custom props

2.80.8

Fixed: missing token description in template editor
Fixed: multiple custom fields not pulled into templates

2.80.7

Fixed: settings not saved in setup wizard

2.80.6

Added: trigger DB upgrade automatically

2.80.5

Fixed: maps not displaying when scripts output in footer

2.80.4

Added: enabled user maps

2.80.3

Changed: authorization ‘edit_posts’ is now used instead of ‘manage_options’ for the ‘maps’ menu
Changed: thumbnail images now specify size for better popup sizing

2.80.2

Fixed: POI list not selecting open POI
Fixed: mashup error when debugging enabled
Fixed: error when dismissing notices

2.80.1

Fixed: database upgrade check incorrect

2.80

Added: settings added for directions links in POI list
Changed: filters output even when closed, to allow custom CSS modification
Fixed: POIs filtered by map bounds even when search disabled

2.77.3

Fixed: thumbnail not positioned properly in popup modal
Fixed: template ‘default’ tab showing current template instead
Fixed: POIs were being filtered by bounds even when search disabled

2.77.2

Fixed: shapes not centering correctly when clicked
Fixed: not possible to enable POI hover and open POIs in a new tab or modal
Changed: added lazy loading and speed tests for iframes
Changed: deactivation screen updated

2.77.1

Fixed: ACF map fields not being read in mashups
Fixed: enable beta versions checkbox not working

2.77

Changed: source files renamed
Fixed: show filter options without escaping

2.76.6

Changed: updated query filters for WP 6.0
Fixed: adjusted infowindow sizing for sub-pixel rendering

2.76.5

Fixed: adjust webpack configuration to pick up missing translations

2.76.4

Fixed: mashup inline list not scrolling
Fixed: category filter include/exclude not working

2.76.3

Fixed: mashup list pagination not working

2.76.2

Fixed: directions link not working

2.76.1

Fixed: syntax error in mashups
Fixed: missing translation for pages
Fixed: list page size not working

2.76

Added: images can now be attached to POIs
Added: if multiple images exist, an image gallery is displayed in the map list and popups
Fixed: KML overlays were not displaying properly

2.75.6

Fixed: error when dragging Leaflet markers

2.75.5

Fixed: geocoding errors written to posts with no custom fields
Fixed: thumbnails not displaying properly in list
Fixed: insert not working for map sidebar panel

2.75.4

Fixed: maps with save center not displaying

2.75.3

Fixed: directions ‘to’ address blank

2.75.2

Changed: removed unused list templates
Fixed: missing POT translation for filter counts
Fixed: POI popup modal not working

2.75.1

Fixed: CSS preventing scrolling bottom POI list
Fixed: POI list not displaying in editor if disabled in settings
Fixed: blank map edit screen for some sites

2.75

Changed: completed removal of obsolete Algolia geocoder
Changed: updated JavaScript: map editor, POI editor, POI list, directions, map menu, map picker and settings
Changed: clustering libraries sourced from CDN

2.74.3

Fixed: removed import menu from free version
Fixed: removed french translation from plugin directory

2.74.2

Fixed: custom field geocoding not working

2.74.1

Fixed: option screen alignment wrong for some options
Fixed: travel line animation setting not saving properly

2.74

Added: option to connect POIs with lines, for travel blogs, etc. Lines can be enabled/disabled in the settings or with the shortcode: [mappress lines=”true”]
Added: new filters form using AJAX
Added: import screen for importing maps from CSV files
Changed: geocoding custom fields now use a datalist dropdown for easier entry
Fixed: Leaflet popup not centered when POI is opened from off-screen
Fixed: translations not available for JavaScript texts
Fixed: directions not opening when list is below map
Fixed: hovering highlight not removed
Fixed: on some servers compression settings prevented AJAX calls with output buffering enabled

2.73.18

Fixed: added back ability to programmatically specify center as array of (lat,lng)

2.73.17

Added: KML URL is now output when there is an error loading the KML file
Fixed: geocoder not recognizing some locations, including “lat,lng” entries

2.73.16

Fixed: autocomplete not creating new POIs

2.73.15

Changed: replaced JQuery Autocomplete with new search box

2.73.14

Fixed: check for wp-config settings preventing file changes

2.73.13

Fixed: check for wp-config settings preventing file changes

2.73.12

Fixed: inline directions input not working

2.73.11

Fixed: include/exclude not working for taxonomy filters

2.73.10

Fixed: notice on widget screen
Fixed: errors on beta theme editor screen
Changed: Remove jQuery version check and jQuery tabs control

2.73.9

Fixed: map doesn’t display if google directions used
Changed: filter CSS updated

2.73.8

Fixed: allow autoptimize to process scripts
Fixed: underscore functions and templates broken by woocommerce lodash

2.73.7

Fixed: notice in wp_query groupby

2.73.6

Fixed: exclude wp JS from autoptimize

2.73.5

Fixed: error resizing maps in jQuery tabs

2.73.4

Added: base code for mashups by users
Fixed: maps attached to a trashed post now appear in the map library
Fixed: template editor now inserts properly-formatted tokens for custom fields
Fixed: mashup query filtes could interfere with queries from POI oembeds

2.73.3

Fixed: PHP error when loading filters template

2.73.2

Fixed: possible PHP error on settings screen
Fixed: box-sizing added to layout CSS, directions made max width in mini view

2.73.1

Fixed: directions not displaying

2.73

Important: filters CSS has been updated, please update any custom filter forms to match
Added: better popup panning and sizing
Added: new custom JSON styles can be created in the style editor
Added: setting for filter position (search box or POI list)
Added: new filter editor in MapPress settings
Added: post count in filter dropdown
Added: new filter types: post type and text box
Added: user-defined labels for filters
Added: filter display formats (select/checkbox/radio)
Added: include or exclude specific terms (tags, categories,…) for filters
Fixed: filters size better in mini mode
Fixed: POI body not showing in Firefox when thumbnails on left/right
Fixed: control for attaching posts to maps now shows the correct custom post type
Fixed: mashup block not updating when query parameters change
Fixed: Gutenberg boolean attributes defaulting to false when converting classic blocks
Fixed: settings screen not displaying on some wordpress hosted sites

2.72.5

Fixed: list toggle not working

2.72.4

Fixed: directions link not working if no POI list present

2.72.3

Increment version

2.72.2

Changed: allow DOM events to bubble out of the map container

2.72.1

Fixed: POI drag and drop sorting not working in editor
Fixed: shortcodes in AJAX calls now include scripts with map/mashup output

2.72

Changed: mashup queries now use a single SQL statement, for hosts that limit SQL size
Fixed: youtube videos inside popups did not play full screen
Fixed: [mashup query=”current”] now displays current posts correctly

2.71.1