During a recent threat hunt aimed at WordPress plugins, the Alert Logic Threat Research team identified a vulnerability in MapPress Maps for WordPress. The MapPress plugin has over 80,000 installations. This vulnerability enables an attacker with subscriber privileges to download or delete arbitrary PHP files or upload arbitrary malicious PHP files to vulnerable sites, which could result in remote command execution. After working with the MapPress development team, this vulnerability has been resolved as of version 2.54.6.
Per the Alert Logic responsible disclosure policy, we contacted the developer to report the issue and worked closely with them to resolve the underlying vulnerability. We commend the MapPress development team for responding quickly and working with us openly to resolve the issue. We have reported the vulnerability to MITRE and it has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2020-12675. You can visit the CVE page for additional details (please note, this page is currently in reserved status and more content will be added shortly).
In addition to identifying the CVE, Alert Logic’s Threat Intelligence team has deployed detection content to enable our Security Operations Center to catch and alert our customers to any potential exploits.
Alert Logic strongly recommends that all parties using the MapPress plugin for WordPress immediately update to version 2.54.6 or newer to remediate this vulnerability. We will be providing additional details about this vulnerability in the coming weeks.