CVE-2020-12077

HIGH

MapPress < 2.53.9 - Unauthenticated Remote Code Execution via AJAX Function

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-12077. PoCs published by RandomRobbieBF.

AI-analyzed exploit summary This PoC exploits CVE-2020-12077 in MapPress Maps Pro < 2.53.9, allowing authenticated users to achieve RCE via incorrect access control in AJAX actions. It demonstrates file upload, deletion, and disclosure by leveraging vulnerable 'mapp_tpl_save', 'mapp_tpl_delete', and 'mapp_tpl_get' functions.

Description

The mappress-google-maps-for-wordpress plugin before 2.53.9 for WordPress does not correctly implement AJAX functions with nonces (or capability checks), leading to remote code execution.

Exploits (1)

nomisec WORKING POC 1 stars
by RandomRobbieBF · poc
https://github.com/RandomRobbieBF/CVE-2020-12077

This PoC exploits CVE-2020-12077 in MapPress Maps Pro < 2.53.9, allowing authenticated users to achieve RCE via incorrect access control in AJAX actions. It demonstrates file upload, deletion, and disclosure by leveraging vulnerable 'mapp_tpl_save', 'mapp_tpl_delete', and 'mapp_tpl_get' functions.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: MapPress Maps Pro < 2.53.9
Auth required
Prerequisites: Valid WordPress credentials (subscriber-level access) · MapPress Maps Pro plugin < 2.53.9 installed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://wordpress.org/plugins/mappress-google-maps-for-wordpress/#developers

Scores

CVSS v3 8.8
EPSS 0.0561
EPSS Percentile 91.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-434
Status published
Products (1)
mappresspro/mappress < 2.53.9
Published Apr 23, 2020
Tracked Since Feb 18, 2026