Google Places Review < 2.0.0 – Admin+ Stored Cross Site Scripting | CVE 2022-1772

Description

The plugin does not properly escape its Google API key setting, which is reflected on the site's administration panel. A malicious administrator could abuse this bug, in a multisite WordPress configuration, to trick super-administrators into viewing the booby-trapped payload and taking over their account.

Proof of Concept

Put the following payload in the "Google Places API Key" settings of the plugin: test" onfocus=javascript:alert('xss') height="

Affects Plugins

google-places-reviews

Fixed in 2.0.0

References

CVE

CVE-2022-1772

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

3.4 (low)

Miscellaneous

Original Researcher

Krishna Harsha Kondaveeti

Submitter

krishna harsha

Verified

Yes

WPVDB ID

02addade-d191-4e45-b7b5-2f3f673679ab

Timeline

Publicly Published

2022-05-17 (about 2 years ago)

Added

2022-05-17 (about 2 years ago)

Last Updated

2022-05-18 (about 2 years ago)

Other

Published

Title

Published

2023-04-04

Title

Quick Paypal Payments < 5.7.26.4 - Admin+ Stored XSS

Published

2024-03-15

Title

Survey Maker < 4.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2011-11-17

Title

Flexible Custom Post Type < 0.1.7 - XSS

Published

2020-07-09

Title

Travel Booking < 2.8.4 - Unauthenticated Cross-Site Scripting (XSS)

Published

2023-02-20

Title

Video Background < 2.7.5 - Contributor+ Stored XSS via Shortcode