10Web Map Builder for Google Maps < 1.0.64 – Unauthenticated Stored XSS via Plugin Settings Change | Plugin Vulnerabilities

Description

The vulnerability in 10Web Map Builder exists in the plugin’s setup process. The plugin’s setup functions are called during admin_init which, like Flexible Checkout Fields, is accessible to unauthenticated users. If an attacker injects malicious JavaScript into certain settings values, that code will execute for administrators in their dashboard as well as front-of-site visitors in some circumstances.

Affects Plugins

Fixed in 1.0.64

References

URL

https://www.wordfence.com/blog/2020/02/site-takeover-campaign-exploits-multiple-zero-day-vulnerabilities/

URL

https://plugins.trac.wordpress.org/changeset/2251882/wd-google-maps

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Sean Murphy, QA Lead Matt Rusnak, and QA Engineer Ramuel Gall (Wordfence)

Verified

No

WPVDB ID

7ad91b85-6edf-49d7-b0b5-5c5eb0286533

Timeline

Publicly Published

2020-02-27 (about 6 years ago)

Added

2020-02-28 (about 6 years ago)

Last Updated

2020-02-29 (about 6 years ago)

Other

Published

Title

Published

2020-08-31

Title

WP Floating Menu < 1.4.1 - Authenticated Reflected Cross-Site Scripting

Published

2024-03-25

Title

Top Bar < 3.0.5 - Admin+ Stored XSS

Published

2025-09-26

Title

MWW Disclaimer Buttons < 3.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2025-01-07

Title

Mailing Group Listserv < 3.0.0 - Reflected Cross-Site Scripting

Published

2014-05-28

Title

Easy Career Opening <= 0.4 - Cross-Site Scripting (XSS)