CVE-2024-0421: 
WordPress vulnerability analysis and mitigation

The MapPress Maps for WordPress plugin before version 2.88.16 contains an Insecure Direct Object Reference (IDOR) vulnerability. The vulnerability was discovered on January 17, 2024, and assigned CVE-2024-0421. The issue affects the plugin's AJAX action functionality, which fails to properly verify that posts being retrieved are public maps, potentially exposing private and draft posts to unauthorized users (WPScan, NVD).

The vulnerability is classified as an Authorization Bypass Through User-Controlled Key (CWE-639) with a CVSS v3.1 base score of 5.3 (Medium). The issue stems from improper access control in the AJAX action 'mapp_get_post', where the plugin fails to validate whether the requested post is a public map. A previous fix attempt in version 2.88.15 was insufficient as it still allowed authenticated users with subscriber-level access to read arbitrary private and draft posts (WPScan).

The vulnerability allows unauthenticated users to read arbitrary private and draft posts that should be restricted. This represents a significant privacy breach as sensitive content intended to remain private could be exposed to unauthorized individuals (WPScan).

The vulnerability has been fixed in version 2.88.16 of the MapPress Maps for WordPress plugin. Site administrators are strongly advised to update to this version to protect against unauthorized access to private and draft posts (WPScan).