Stored XSS Fixed In WP Go Maps 9.0.28

During an analysis of the WP Go Maps plugin (formerly WP Google Maps), we discovered a pretty serious Stored XSS vulnerability that can be exploited by any attackers, regardless of whether they have an account on the site.

When successfully exploited, this vulnerability may let attackers perform any action the logged‑in administrator they targeted is allowed to do on the targeted site, including installing arbitrary plugins, and creating new rogue Administrator users.

Upon identifying the vulnerability, we promptly alerted the authors of that plugin, who released version 9.0.28 to fix the issue. It is crucial for administrators of sites using this plugin to ensure it is fully updated to safeguard against this vulnerability.

Unauthenticated Stored XSS

Fixed Version	9.0.28
CVE-ID	CVE-2023-6627
WPVDB-ID	f5687d0e-98ca-4449-98d6-7170c97c8f54
CVSSv3.1	8.8

The plugin registered multiple REST API routes, a few which shared the same callback methods where it would then guess which code needs to be ran by checking the route that led to the method using regular expressions on $_SERVER['REQUEST_URI'], and comparing the HTTP method used via $_SERVER['REQUEST_METHOD'].

switch( $_SERVER[‘REQUEST_METHOD’] )
{
            case 'GET':
                if(preg_match('#/wpgmza/v1/markers/(\d+)#', $route, $m)) {
                    $marker = Marker::createInstance($m[1], Crud::SINGLE_READ, isset($_GET['raw_data']));
                    return $marker;
                }
// (... lots of code ...)
            case 'POST':                
                         if(preg_match('#/wpgmza/v1/markers/(\d+)#', $route, $m))
                    $id = $m[1];
                else
                    $id = -1;

Unfortunately, since the WordPress REST API gives some flexibility to users by allowing them to specify both the route and HTTP method to use for a given request via other means, this made it possible for attackers to bypass the capability checks that would otherwise occur based on the HTTP method used.

This, combined with other logic bugs around decoding HTML entities in already sanitized HTML user content, made it possible for unauthenticated attackers to conduct Stored XSS attacks.

A proof of concept will be made available on the WPScan entry for this issue on January 1st, 2024.

Timeline

2023‑12‑08 – Details of the vulnerability sent to the WP Go Maps team
2023‑12‑09 – WP Go Maps confirms reception of our report, and starts working on a fix
2023‑12‑12 – A patch is released by the WP Go Maps team for this issue

Credits

Original research: Marc Montpas

Thanks to the rest of the WPScan team for feedback, help, and corrections.