WordPress Plugin Vulnerabilities

WP Google Maps < 8.1.12 - Authenticated Stored Cross-Site Scripting (XSS)

Description

The plugin did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue

Note: The vendor attributed the issue in the changelog to the wrong reporter (us, WPScan, as we reported it on behalf of the reporter). This will be corrected in the next version

Proof of Concept

Steps to Reproduce:

1) Edit a map (e.g /wp-admin/admin.php?page=wp-google-maps-menu&action=edit&map_id=1)
2) Change Map Name to <script>alert(document.cookie)</script>
3) Save the Map
4) Stored XSS will be triggered when viewing the Map List (/wp-admin/admin.php?page=wp-google-maps-menu)

POC Screenshots attached in dropbox link: https://www.dropbox.com/s/z4gc6386xcm83vm/Stored%20xss%20in%20WP%20Googlemaps.zip?dl=0

Affects Plugins

Plugin icon
wp-google-maps
Fixed in 8.1.12

References

CVE
CVE-2021-24383

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.8 (medium)

Miscellaneous

Original Researcher
Mohammed Adam
Submitter
Mohammed Adam
Submitter twitter
iam_amdadam
Verified
Yes
WPVDB ID
1270588c-53fe-447e-b83c-1b877dc7a954

Timeline

Publicly Published
2021-06-07 (about 2 years ago)
Added
2021-06-07 (about 2 years ago)
Last Updated
2021-08-10 (about 2 years ago)

Other

Published
Title
Published
2023-08-17
Title
Advanced Category Template <= 0.1 - Reflected XSS
Published
2017-04-19
Title
Simple Job Board <= 2.4.3 - Reflected XSS
Published
2024-04-18
Title
Essential Blocks < 4.5.10 - Contributor+ DOM-Based XSS via Social Icons Block
Published
2021-09-28
Title
Connections Business Directory < 10.4.3 - Admin+ Stored Cross-Site Scripting
Published
2023-09-20
Title
WP Event Manager < 3.1.38 - Admin+ Stored XSS