10Web Map Builder for Google Maps < 1.0.70 – Authenticated Stored XSS | Plugin Vulnerabilities

Description

The plugin does not validate or escape its MAP API Key, Center Address, Center Lat, Center Lng and Zoom Level settings in the admin dashboard, allowing high privilege users such as admin to use JavaScript payload in them, leading to Stored Cross-Site Scripting issues even when the unfiltered_html capability is disallowed

Timeline (WPScanTeam)
June 29th, 2021 - Details sent to vendor
June 30th, 2021 - Vendor said they are aware of the report and working on a patch
July 3rd, 2021 - v1.0.69 released, issues still present
July 14th, 2021 - Disclosure
July 20th, 2021 - v1.0.70 released, fixing the issue

Proof of Concept

Add the payload below in the Map API Key, Center Address, Center Lat, Center Lng or Zoom Level settings (at /wp-admin/admin.php?page=options_gmwd)

" style=animation-name:rotation onanimationstart=alert(/XSS/)//

Affects Plugins

Fixed in 1.0.70

References

URL

https://m0ze.ru/vulnerability/[2021-06-12]-[WordPress]-[CWE-79]-10Web-Map-Builder-for-Google-Maps-Plugin-v1.0.68.txt

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

m0ze

Verified

Yes

WPVDB ID

619ec765-8131-423b-b31e-3626c59aae49

Timeline

Publicly Published

2021-06-14 (about 4 years ago)

Added

2021-07-14 (about 4 years ago)

Last Updated

2022-02-06 (about 4 years ago)

Other

Published

Title

Published

2025-01-14

Title

WP ViewSTL <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2026-04-03

Title

Visitor Traffic Real Time Statistics < 8.5 - Unauthenticated Stored Cross-Site Scripting

Published

2024-08-07

Title

Organization chart < 1.5.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via title_input and node_description Parameters

Published

2021-03-26

Title

Patreon WordPress < 1.7.2 - Reflected XSS on Login Form

Published

2023-11-09

Title

WP Event Manager < 3.1.43 - Reflected XSS