WordPress Plugin WP Google Maps 8.1.11 - Stored Cross-Site Scripting (XSS)

vendor:

WP Google Maps

by:

Mohammed Adam

5,4

CVSS

MEDIUM

Stored Cross-Site Scripting (XSS)

CWE

Product Name: WP Google Maps

Affected Version From: 8.1.11

Affected Version To: 8.1.11

Patch Exists: YES

Related CWE: CVE-2021-24383

CPE: 2.3:a:wordpress:wp_google_maps:8.1.11

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 10

2021

WordPress Plugin WP Google Maps 8.1.11 – Stored Cross-Site Scripting (XSS)

A stored cross-site scripting (XSS) vulnerability exists in WordPress Plugin WP Google Maps 8.1.11. An attacker can inject malicious JavaScript code into the Map Name field when editing a map, which will be triggered when viewing the Map List. This could allow the attacker to steal cookies and hijack user sessions.

Mitigation:

Update to version 8.1.12 or later.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin WP Google Maps 8.1.11 - Stored Cross-Site Scripting (XSS)
# Date: 22/6/2021
# Exploit Author: Mohammed Adam
# Vendor Homepage: https://www.wpgmaps.com/
# Software Link: https://wordpress.org/plugins/wp-google-maps/
# Version: 5.7.2
# Tested on: Windows 10
# CVE: CVE-2021-24383
# References link: https://wpscan.com/vulnerability/1270588c-53fe-447e-b83c-1b877dc7a954

*Proof of Concept*

*Steps to Reproduce:*

1) Edit a map (e.g
/wp-admin/admin.php?page=wp-google-maps-menu&action=edit&map_id=1)

2) Change Map Name to <script>alert(document.cookie)</script>

3) Save the Map

4) Stored XSS will be triggered when viewing the Map List
(/wp-admin/admin.php?page=wp-google-maps-menu)