A significant vulnerability was found with MapPress Maps for WordPress Alert Logic researchers warned Wordpress admin. When used, the flaw could enable an attacker to interfere with the Personal Home Page(PHP) files and even remotely execute codes.
AJAX features related to the creation, removal or recovery of PHP files were not properly verified by the error. The bug affects over 80,000 websites.
An authorised hacker can even remove any existing PHP file from the site by sending the $ POST request to wp-admin/admin-ajax.php, with a mapp tpl delete action parameter, and delete a basename for the file.
For example in the case a routing attack may be used to delete wp-config.php with .. / .. / .. /wp-config. for this name parameter. It could cause the website to reset, at which time an attacker might access the site by setting them up and linking them to a malicious database remotely host.