UpQode Google Maps <= 1.0.5 – Contributor+ Stored XSS | CVE 2023-0094

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Proof of Concept

Exploit: [vc_ugm_map map_height='100px; background:red;" onmouseover="alert(1)"']

Note: WPBakery Page Builder plugin is required.

Affects Plugins

upqode-google-maps

No known fix

References

CVE

CVE-2023-0094

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

6.8 (medium)

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

LanaCodes

Verified

Yes

WPVDB ID

1453471f-164d-4487-a736-8cea086212fe

Timeline

Publicly Published

2023-02-13 (about 1 years ago)

Added

2023-02-13 (about 1 years ago)

Last Updated

2023-02-13 (about 1 years ago)

Other

Published

Title

Published

2017-06-11

Title

Gift Certificate Creator <= 1.0 - Stored XSS

Published

2024-01-31

Title

MW WP Form < 5.1.0 - Editor+ Stored XSS

Published

2021-06-21

Title

Prismatic < 2.8 - Reflected Cross-Site Scripting (XSS)

Published

2016-11-08

Title

Calendar <= 1.3.7 - Cross-Site Scripting (XSS)

Published

2023-06-26

Title

Optin Forms < 1.3.3 - Admin+ Stored XSS