Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-12077: MapPress Maps for WordPress

The mappress-google-maps-for-wordpress plugin before 2.53.9 for WordPress does not correctly implement AJAX functions with nonces (or capability checks), leading to remote code execution.

CVE
#sql#web#android#google#js#git#java#wordpress#php#rce#perl#auth#firefox
  • Details
  • Reviews
  • Installation
  • Development

MapPress is the easiest way to add beautiful interactive Google and Leaflet maps to WordPress.

Create unlimited maps and markers using Gutenberg blocks or the classic editor. The popup map editor makes creating and editing maps easy!

Upgrade to MapPress Pro for even more features, including custom icons, search and filter, clustering, and much more. See it in action on the MapPress Home Page or test it yourself with a Free Demo Site!

Home Page
What’s New
Documentation
FAQ
Support

Upgrade

  1. Deactivate your old MapPress version
  2. Delete your old MapPress version (don’t worry, the maps are saved in the database)
  3. Follow the installation instructions to install the new version

This plugin provides 2 blocks.

  • MapPress Map
  • MapPress Maps for WordPress

This plugin’s free version provides what other map plugins are charging for. I love the backend user interface. I went with the Google API just because that’s what I’m familiar with. My client wants to emphasize shipping destinations at points in the USA and around the world. And we needed a responsive map. Check. I’m very happy with this plugin. It works well with BeaverBuilder (but you need to use the Shortcode to embed a map…no big deal) alongside GravityForms. No conflicts, very stable, and so easy to use my clients can update the maps themselves with just a little orientation. Great job!

A great easy to use plugin

I’m still testing/designing the site but so far it’s exactly what I wanted.

Great plugin, very flexible and easy to use. It can give a “Obsolete jQuery version” error but usually you can just go into inspector and delete the error, and then you can edit the map anyway.

I have been using MapPress Maps for WordPress for years and it has made a tremendous difference on my website. People often say the best feature of the website is the maps! Whenever I have a question or issue, the developer is right there to help out. It is definitely the best plugin I have!

My first choice map and geo plugin. Support is developer level and really helpful with a production site.

Read all 139 reviews

“MapPress Maps for WordPress” is open source software. The following people have contributed to this plugin.

Contributors

  • chrisvrichardson

2.84.21

  • Changed: update version compatibility
  • Changed: add alt tags to template icons

2.84.20

  • Fixed: sanitize map name in iframes

2.84.19

  • Fixed: geolocate parameter not passed through from shortcode

2.84.18

  • Fixed: unable to save settings when sizes are numeric

2.84.17

  • Fixed: mashup query bug in 2.84.16

2.84.16

  • Added: German translation
  • Changed: internal changes to settings screen
  • Fixed: directions not working for lat/lng POIs

2.84.15

  • Added: support for hyphenated poi.props variables
  • Changed: parse shortcodes in poi body (frontend only)
  • Changed: fix for WP async image bug is now applied only for WP version < 6.1.1
  • Fixed: directions tab blocked by popup blocker

2.84.14

  • Fixed: directions not rendering properly when POI list is disabled
  • Fixed: popup not always centering when canvas is resized
  • Fixed: directions CSS made form too small

2.84.13

  • Fixed: temporary fix for WordPress 6.1 async image issue: https://core.trac.wordpress.org/ticket/56969. Fix prevents modifying image URLs.

2.84.12

  • Fixed: readme changelog not showing current version
  • Fixed: script error when using Complianz + Leaflet + marker clustering

2.84.11

  • Fixed: for GDPR, default “red-dot” icon now loaded from plugin directory
  • Changed: added partial pl_PL translation

2.84.10

  • Fixed: POI hover effect not triggering if POI isn’t opened on hover

2.84.9

  • Added: local leaflet libraries for GDPR
  • Changed: removed obsolete translation files

2.84.8

  • Fixed: complianz not working

2.84.7

  • Fixed: patch in 2.84.6 caused geocoding to fail when adding markers and opening popups
  • Fixed: JavaScript not executing inside popup templates

2.84.6

  • Fixed: error when manually centering some maps, in toJSON() method

2.84.5

  • Fixed: translations loading from plugin directory

2.84.4

  • Added: maps GDPR compliance using the ‘Complianz’ plugin
  • Changed: renamed ‘iframes’ setting to ‘compatibility mode’
  • Changed: iframes forced when Jetpack infinite scroll active
  • Fixed: mashup query not filtering POIs when run in iframe

2.84.3

  • Added: new Google marker clusterer (https://github.com/googlemaps/js-markerclusterer)
  • Added: setting to geolocate on user when map is first displayed
  • Changed: better initial centering when poiZoom is set
  • Changed: updates to welcome guide and deactvation menu
  • Fixed: KML files not centering when added in editor
  • Fixed: KML error when using Leaflet
  • Fixed: initial centering when geolocating and browser geolocation is disabled

2.84.2

  • Fixed: map sizing incorrectly when using inline list in iframe

2.84.1

  • Added: Google AMP compatibility
  • Added: better help text for the “poiZoom” setting
  • Changed: revert iframes to template_redirect
  • Changed: removed CSS centering for popup texts
  • Fixed: templates and scripts loaded on the main page when iframes active

2.84

  • Added: new map editor
  • Fixed: Google sheet upload error
  • Fixed: map styles search not working if enter key pressed

2.83.23

  • Fixed: database upgrade running for new installs
  • Fixed: option setting to initially close sidebar is ignored

2.83.22

  • Changed: allow popup to size larger when thumbnails are set to top, but no image is present
  • Fixed: missing scrollbars when popup content is large
  • Fixed: warning if default size selected in settings is invalid

2.83.21

  • Fixed: typo in setting ‘showCoverageOnHover’

2.83.20

  • Fixed: SVN publish

2.83.19

  • Fixed: remove generated iframe from build

2.83.18

  • Changed: enabled ‘check now’ button even when license is active

2.83.17

  • Fixed: mini map class not being applied to small maps
  • Fixed: other plugins break iframes by adding ‘defer’ to script tags

2.83.16

  • Changed: prevent WP from overwriting Pro with free version

2.83.15

  • Fixed: setting initialopeninfo with no map POIs causes JS error

2.83.14

  • Fixed: console warnings in Google marker clusterer from deprecated google.maps.addDomEventListener
  • Fixed: iframe not resizing when height is ‘vh’

2.83.13

  • Added: setting to allow mashup thumbnail images to come from either post or POI (mashupThumbs)
  • Added: fast iframes, and iframes that resize to inline (bottom) POI list layout
  • Changed: popups opened by marker hover now close after a short delay when mouse is moved away
  • Fixed: POI list not scrolling to top on page change

2.83.12

  • Changed: Google now returns viewport for street addresses, so poiZoom (default zoom) setting applies even if viewport is present
  • Fixed: map loses attachment if attached and then immediately edited

2.83.11

  • Fixed: syntax error in API for old versions of PHP

2.83.10

  • Changed: map minimum width changed from 250 to 200px
  • Changed: template editor split to separate module
  • Changed: post attachment control updated
  • Changed: REST API code added
  • Fixed: hideEmpty mashup parameter not compatible with new query functions

2.83.9

  • Changed: importer updated to allow upper-case column names
  • Changed: updated authors in mashup block to reflect new core data
  • Fixed: focus incorrect when creating new map and selecting title
  • Fixed: map not linked to post when creating new post
  • Fixed: refresh query button not working in mashup block

2.83.8

  • Fixed: mashup block shortcode viewer removed
  • Fixed: importer sample map selecting all POIs at once

2.83.7

  • Fixed: republish 2.83.6 changes

2.83.6

  • Fixed: map iframe interfering with theme customizer

2.83.5

  • Changed: workaround for other plugins loading obsolete versions of wp.element
  • Fixed: clicking on mashup thumbnail image not opening underlying post

2.83.4

  • Fixed: updated German translation
  • Fixed: double markers showing when using multiple maps with Leaflet clustering

2.83.3

  • Fixed: POI list pagination incorrect

2.83.2

  • Fixed: drag and drop error with Leaflet polyfill

2.83.1

  • Fixed: error from Leaflet json polyfill when theme overwrites Leaflet

2.83

  • Added: setting to disable Leaflet cluster outline polygons
  • Changed: editor maps switched to react
  • Fixed: directions not working for POIs with no address

2.82.4

  • Fixed: directions link not working

2.82.3

  • Fixed: markers shown outside clusters on initial load
  • Fixed: editor marker drag/drop not working

2.82.2

  • Fixed: zooming in and out on Google clusters could result in ‘null’ marker
  • Fixed: revert auto-sizing iframes; not compatible with viewport (‘vh’) sizing

2.82.1

  • Fixed: maps sized wrong when using sizes without units

2.82

  • Changed: frontend loader and rendering switched to react components
  • Changed: iframes resize to content

2.81.2

  • Changed: convert import/settings to react map

2.81.1

  • Fixed: url query parameter removed, some sites throw 403 error

2.81

  • Fixed: POI list showing extra POI beyond page size
  • Fixed: Map editor page size should not be controlled by front-end settings
  • Changed: begin React code transition for admin

2.80.11

  • Fixed: innodb utf8mb4 index on map title limited to 191 characters

2.80.10

  • Fixed: sorting not working in map list
  • Fixed: save button not disabled during map save
  • Fixed: trashed maps included in mashups

2.80.9

  • Fixed: array not initialized for custom props

2.80.8

  • Fixed: missing token description in template editor
  • Fixed: multiple custom fields not pulled into templates

2.80.7

  • Fixed: settings not saved in setup wizard

2.80.6

  • Added: trigger DB upgrade automatically

2.80.5

  • Fixed: maps not displaying when scripts output in footer

2.80.4

  • Added: enabled user maps

2.80.3

  • Changed: authorization ‘edit_posts’ is now used instead of ‘manage_options’ for the ‘maps’ menu
  • Changed: thumbnail images now specify size for better popup sizing

2.80.2

  • Fixed: POI list not selecting open POI
  • Fixed: mashup error when debugging enabled
  • Fixed: error when dismissing notices

2.80.1

  • Fixed: database upgrade check incorrect

2.80

  • Added: settings added for directions links in POI list
  • Changed: filters output even when closed, to allow custom CSS modification
  • Fixed: POIs filtered by map bounds even when search disabled

2.77.3

  • Fixed: thumbnail not positioned properly in popup modal
  • Fixed: template ‘default’ tab showing current template instead
  • Fixed: POIs were being filtered by bounds even when search disabled

2.77.2

  • Fixed: shapes not centering correctly when clicked
  • Fixed: not possible to enable POI hover and open POIs in a new tab or modal
  • Changed: added lazy loading and speed tests for iframes
  • Changed: deactivation screen updated

2.77.1

  • Fixed: ACF map fields not being read in mashups
  • Fixed: enable beta versions checkbox not working

2.77

  • Changed: source files renamed
  • Fixed: show filter options without escaping

2.76.6

  • Changed: updated query filters for WP 6.0
  • Fixed: adjusted infowindow sizing for sub-pixel rendering

2.76.5

  • Fixed: adjust webpack configuration to pick up missing translations

2.76.4

  • Fixed: mashup inline list not scrolling
  • Fixed: category filter include/exclude not working

2.76.3

  • Fixed: mashup list pagination not working

2.76.2

  • Fixed: directions link not working

2.76.1

  • Fixed: syntax error in mashups
  • Fixed: missing translation for pages
  • Fixed: list page size not working

2.76

  • Added: images can now be attached to POIs
  • Added: if multiple images exist, an image gallery is displayed in the map list and popups
  • Fixed: KML overlays were not displaying properly

2.75.6

  • Fixed: error when dragging Leaflet markers

2.75.5

  • Fixed: geocoding errors written to posts with no custom fields
  • Fixed: thumbnails not displaying properly in list
  • Fixed: insert not working for map sidebar panel

2.75.4

  • Fixed: maps with save center not displaying

2.75.3

  • Fixed: directions ‘to’ address blank

2.75.2

  • Changed: removed unused list templates
  • Fixed: missing POT translation for filter counts
  • Fixed: POI popup modal not working

2.75.1

  • Fixed: CSS preventing scrolling bottom POI list
  • Fixed: POI list not displaying in editor if disabled in settings
  • Fixed: blank map edit screen for some sites

2.75

  • Changed: completed removal of obsolete Algolia geocoder
  • Changed: updated JavaScript: map editor, POI editor, POI list, directions, map menu, map picker and settings
  • Changed: clustering libraries sourced from CDN

2.74.3

  • Fixed: removed import menu from free version
  • Fixed: removed french translation from plugin directory

2.74.2

  • Fixed: custom field geocoding not working

2.74.1

  • Fixed: option screen alignment wrong for some options
  • Fixed: travel line animation setting not saving properly

2.74

  • Added: option to connect POIs with lines, for travel blogs, etc. Lines can be enabled/disabled in the settings or with the shortcode: [mappress lines=”true”]
  • Added: new filters form using AJAX
  • Added: import screen for importing maps from CSV files
  • Changed: geocoding custom fields now use a datalist dropdown for easier entry
  • Fixed: Leaflet popup not centered when POI is opened from off-screen
  • Fixed: translations not available for JavaScript texts
  • Fixed: directions not opening when list is below map
  • Fixed: hovering highlight not removed
  • Fixed: on some servers compression settings prevented AJAX calls with output buffering enabled

2.73.18

  • Fixed: added back ability to programmatically specify center as array of (lat,lng)

2.73.17

  • Added: KML URL is now output when there is an error loading the KML file
  • Fixed: geocoder not recognizing some locations, including “lat,lng” entries

2.73.16

  • Fixed: autocomplete not creating new POIs

2.73.15

  • Changed: replaced JQuery Autocomplete with new search box

2.73.14

  • Fixed: check for wp-config settings preventing file changes

2.73.13

  • Fixed: check for wp-config settings preventing file changes

2.73.12

  • Fixed: inline directions input not working

2.73.11

  • Fixed: include/exclude not working for taxonomy filters

2.73.10

  • Fixed: notice on widget screen
  • Fixed: errors on beta theme editor screen
  • Changed: Remove jQuery version check and jQuery tabs control

2.73.9

  • Fixed: map doesn’t display if google directions used
  • Changed: filter CSS updated

2.73.8

  • Fixed: allow autoptimize to process scripts
  • Fixed: underscore functions and templates broken by woocommerce lodash

2.73.7

  • Fixed: notice in wp_query groupby

2.73.6

  • Fixed: exclude wp JS from autoptimize

2.73.5

  • Fixed: error resizing maps in jQuery tabs

2.73.4

  • Added: base code for mashups by users
  • Fixed: maps attached to a trashed post now appear in the map library
  • Fixed: template editor now inserts properly-formatted tokens for custom fields
  • Fixed: mashup query filtes could interfere with queries from POI oembeds

2.73.3

  • Fixed: PHP error when loading filters template

2.73.2

  • Fixed: possible PHP error on settings screen
  • Fixed: box-sizing added to layout CSS, directions made max width in mini view

2.73.1

  • Fixed: directions not displaying

2.73

  • Important: filters CSS has been updated, please update any custom filter forms to match
  • Added: better popup panning and sizing
  • Added: new custom JSON styles can be created in the style editor
  • Added: setting for filter position (search box or POI list)
  • Added: new filter editor in MapPress settings
  • Added: post count in filter dropdown
  • Added: new filter types: post type and text box
  • Added: user-defined labels for filters
  • Added: filter display formats (select/checkbox/radio)
  • Added: include or exclude specific terms (tags, categories,…) for filters
  • Fixed: filters size better in mini mode
  • Fixed: POI body not showing in Firefox when thumbnails on left/right
  • Fixed: control for attaching posts to maps now shows the correct custom post type
  • Fixed: mashup block not updating when query parameters change
  • Fixed: Gutenberg boolean attributes defaulting to false when converting classic blocks
  • Fixed: settings screen not displaying on some wordpress hosted sites

2.72.5

  • Fixed: list toggle not working

2.72.4

  • Fixed: directions link not working if no POI list present

2.72.3

  • Increment version

2.72.2

  • Changed: allow DOM events to bubble out of the map container

2.72.1

  • Fixed: POI drag and drop sorting not working in editor
  • Fixed: shortcodes in AJAX calls now include scripts with map/mashup output

2.72

  • Changed: mashup queries now use a single SQL statement, for hosts that limit SQL size
  • Fixed: youtube videos inside popups did not play full screen
  • Fixed: [mashup query=”current”] now displays current posts correctly

2.71.1

  • Added: option for POI list page size
  • Added: option for POI list open/closed when map is loaded
  • Fixed: directions not working on Android

2.71

  • Added: enable search for individual maps
  • Added: classic editor button updated for compatibility with Enfold theme
  • Changed: remove initialOpenDirections parameter
  • Changed: speed up Nominatim autocomplete
  • Changed: internal updates to ES6 JS for options and maps

2.70.1

  • Changed: clearer highlighting in map list
  • Changed: remove beta version
  • Changed: remove IE11 support

2.70

  • Added: maps can now be trashed or restored

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907