WordPress Plugin Vulnerabilities

MapPress Maps for WordPress < 2.88.16 - Unauthenticated Arbitrary Private/Draft Post Disclosure

Description

The plugin does not ensure that posts to be retrieve via an AJAX action is a public map, allowing unauthenticated users to read arbitrary private and draft posts.

The fix made in 2.88.15 is not sufficient as it still allowed any authenticated users, such s subscriber to read arbitrary private and draft posts.

Proof of Concept

As an unauthenticated user, view the source of a page containing a Map from the plugin and retrieve the nonce from the mappl10n['options']['nonce'] JavaScript var, then open the below URL (replacing the oid by the ID or a private or draft post)

https://example.com/wp-admin/admin-ajax.php?action=mapp_get_post&oid=53&nonce=eef7edf9b9

Affects Plugins

Plugin icon
mappress-google-maps-for-wordpress
Fixed in 2.88.16

References

CVE
CVE-2024-0421

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Submitter
Erwan LR
Verified
Yes
WPVDB ID
587acc47-1966-4baf-a380-6aa479a97c82

Timeline

Publicly Published
2024-01-17 (about 3 months ago)
Added
2024-01-17 (about 3 months ago)
Last Updated
2024-01-17 (about 3 months ago)

Other

Published
Title
Published
2024-04-15
Title
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder < 1.15.24 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2014-08-01
Title
IFrame Admin Pages <= 0.1 - Cross Site Scripting
Published
2023-10-02
Title
Email posts to subscribers <= 6.2 - Admin+ Stored XSS
Published
2024-01-16
Title
HD Quiz < 1.8.12 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings
Published
2014-08-01
Title
Tweet Blender 4.0.1 - Unspecified XSS