MapifyLite & MapifyPro < 4.0.0 – Authenticated Stored Cross-Site Scripting (XSS) | Plugin Vulnerabilities

Description

The plugin does not sanitise the Image URL (either in the settings or in a location), allowing editor+ users to use a malicious payload, leading to Stored Cross-Site Scripting issues.

Notes (WPScanTeam):
- The vendor has been notified on March 24th, 2021
- April 3rd, 2021 - v4.0.0 released of MapifyLite and MapifyPro, fixing the issue

Proof of Concept

Login as Editor+, put the payload below in the Map Settings (or Maps if logged in as editor) > Default Pin Image, or Map Locations > Add/Edit > Gallery Image (then click 'Click here to add one.')

"><script>alert(/XSS/)</script>

Affects Plugins

mapifylite-master

Fixed in 4.0.0

Fixed in 4.0.0

References

URL

https://packetstormsecurity.com/files/#161939/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Eagle Eye

Verified

Yes

WPVDB ID

e5bfd53d-0d9a-42f2-8af8-5bb710bac828

Timeline

Publicly Published

2021-03-24 (about 4 years ago)

Added

2021-03-24 (about 4 years ago)

Last Updated

2021-06-26 (about 4 years ago)

Other

Published

Title

Published

2022-09-27

Title

Advanced Ads < 1.32.0 - Admin+ Stored XSS

Published

2024-04-15

Title

Shortcodes and extra features for Phlox theme < 2.15.8 - Contributor+ XSS via HTML Element

Published

2017-11-29

Title

WordPress 4.3.0-4.9 - HTML Language Attribute Escaping

Published

2021-08-10

Title

Picture Gallery < 1.4.4 - Authenticated Stored XSS

Published

2026-01-06

Title

Post Like Dislike <= 1.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']