CVE-2024-8620 – The MapPress Maps for WordPress plugin before v... (How to Fix)

Q: What is the severity of CVE-2024-8620?

CVE-2024-8620 has a CVSS score of 4.8 (MEDIUM). The MapPress Maps for WordPress plugin before version 2.93 contains a stored cross-site scripting (XSS) vulnerability in its settings. This allows authenticated administrators to inject malicious scripts that execute when other users view affected pages, even in WordPress multisite installations where unfiltered_html is restricted. Only WordPress sites using vulnerable MapPress plugin versions are affected.

📋 TL;DR

The MapPress Maps for WordPress plugin before version 2.93 contains a stored cross-site scripting (XSS) vulnerability in its settings. This allows authenticated administrators to inject malicious scripts that execute when other users view affected pages, even in WordPress multisite installations where unfiltered_html is restricted. Only WordPress sites using vulnerable MapPress plugin versions are affected.

💻 Affected Systems

Products:

MapPress Maps for WordPress

Versions: All versions before 2.93

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with MapPress plugin installed. Vulnerability is present in default plugin configuration.

📦 What is this software?

Mappress by Mappresspro

View all CVEs affecting Mappress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with admin privileges could inject malicious JavaScript that steals session cookies, redirects users to phishing sites, or performs actions on behalf of authenticated users, potentially leading to complete site compromise.

🟠

Likely Case

Malicious admin injects scripts that execute when other privileged users view plugin settings, potentially stealing credentials or performing unauthorized actions.

🟢

If Mitigated

With proper user access controls and regular admin account monitoring, impact is limited to potential data exposure from admin sessions.

🌐 Internet-Facing: MEDIUM - WordPress sites are typically internet-facing, but exploitation requires admin credentials.

🏢 Internal Only: LOW - Internal-only WordPress instances still require admin access for exploitation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin-level access to WordPress. No public exploit code has been identified as of analysis date.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.93

Vendor Advisory: https://wpscan.com/vulnerability/d8b0ddd8-0380-4185-aa00-8437e2b617ad/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find MapPress Maps for WordPress. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.93+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Remove admin access from untrusted users

all

Restrict admin privileges to only essential, trusted personnel to reduce attack surface.

Disable MapPress plugin

linux

Temporarily disable the plugin until patching can be completed.

wp plugin deactivate mappress-google-maps-for-wordpress

🧯 If You Can't Patch

Implement strict access controls and monitor admin user activities
Deploy web application firewall (WAF) rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins → MapPress Maps for WordPress version number.

Check Version:

wp plugin get mappress-google-maps-for-wordpress --field=version

Verify Fix Applied:

Confirm plugin version is 2.93 or higher in WordPress admin plugins page.

📡 Detection & Monitoring

Log Indicators:

Unusual admin user activity modifying MapPress settings
JavaScript payloads in WordPress admin logs

Network Indicators:

Suspicious JavaScript in HTTP POST requests to wp-admin/admin.php with mappress parameters

SIEM Query:

source="wordpress.log" AND "admin.php" AND "mappress" AND ("script" OR "javascript" OR "onload" OR "onerror")

📊 Metadata

CVE ID: CVE-2024-8620

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.05% exploit probability (16.8th percentile)

Published: May 15, 2025

Last Updated: June 4, 2025

🔗 References

https://wpscan.com/vulnerability/d8b0ddd8-0380-4185-aa00-8437e2b617ad/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/d8b0ddd8-0380-4185-aa00-8437e2b617ad/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8620, you might also want to check these: