[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Multiple Cross-Site Scripting (XSS) in WP Google Maps WordPress Plugin

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Multiple Cross-Site Scripting (XSS) in WP Google Maps WordPress Plugin
From: High-Tech Bridge Security Research <advisory@xxxxxxxxxxxx>
Date: Wed, 15 Oct 2014 10:30:00 +0200 (CEST)

Advisory ID: HTB23236
Product: WP Google Maps WordPress plugin
Vendor: WP Google Maps 
Vulnerable Version(s): 6.0.26 and probably prior
Tested Version: 6.0.26
Advisory Publication:  September 24, 2014  [without technical details]
Vendor Notification: September 24, 2014 
Vendor Patch: September 29, 2014 
Public Disclosure: October 15, 2014 
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-7182
Risk Level: Low 
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( 
https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered three XSS vulnerabilities in 
WP Google Maps WordPress plugin, which can be exploited to perform Cross-Site 
Scripting (XSS) attacks against administrators of vulnerable WP website.

1) Multiple XSS in WP Google Maps WordPress plugin: CVE-2014-7182

1.1 Input passed via the "poly_id" HTTP GET parameter to "/wp-admin/admin.php" 
script is not properly sanitised before being returned to the user. A remote 
attacker can trick a logged-in administrator to open a specially crafted link 
and execute arbitrary HTML and script code in browser in context of the 
vulnerable website.

The exploitation example below uses the "alert()" JavaScript function to 
display "immuniweb" word:

http://wordpress/wp-admin/admin.php?page=wp-google-maps-menu&action=edit_poly&map_id=1&poly_id=%27%22%3E%3Cscript%3Ealert%28/immuniweb/%29;%3C/script%3E

1.2 Input passed via the "poly_id" HTTP GET parameter to "/wp-admin/admin.php" 
script is not properly sanitised before being returned to the user. A remote 
attacker can trick a logged-in administrator to open a specially crafted link 
and execute arbitrary HTML and script code in browser in context of the 
vulnerable website.

The exploitation example below uses the "alert()" JavaScript function to 
display "immuniweb" word:
http://wordpress/wp-admin/admin.php?page=wp-google-maps-menu&action=edit_polyline&map_id=1&poly_id=%27%22%3E%3Cscript%3Ealert%28/immuniweb/%29;%3C/script%3E

1.3 Input passed via the "poly_id" HTTP GET parameter to "/wp-admin/admin.php" 
script is not properly sanitised before being returned to the user. A remote 
attacker can trick a logged-in administrator to open a specially crafted link 
and execute arbitrary HTML and script code in browser in context of the 
vulnerable website.

The exploitation example below uses the "alert()" JavaScript function to 
display "immuniweb" word:
http://wordpress/wp-admin/admin.php?page=wp-google-maps-menu&action=edit_marker&id=%27%22%3E%3Cscript%3Ealert%28/immuniweb/%29;%3C/script%3E


-----------------------------------------------------------------------------------------------

Solution:

Update to WP Google Maps 6.0.27

More Information:
https://wordpress.org/plugins/wp-google-maps/changelog/

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23236 - 
https://www.htbridge.com/advisory/HTB23236 - Multiple Cross-Site Scripting 
(XSS) in WP Google Maps WordPress Plugin.
[2] WP Google Maps WordPress plugin - http://www.wpgmaps.com/ - The easiest to 
use Google Maps plugin! Create custom Google Maps with high quality markers 
containing locations, descriptions, images and links. Add your customized map 
to your WordPress posts and/or pages quickly and easily with the supplied 
shortcode.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - 
international in scope and free for public use, CVE® is a dictionary of 
publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to 
developers and security practitioners, CWE is a formal list of software 
weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual 
web application penetration test and cutting-edge vulnerability scanner 
available online via a Software-as-a-Service (SaaS) model.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and 
without any warranty of any kind. Details of this Advisory may be updated in 
order to provide as accurate information as possible. The latest version of the 
Advisory is available on web page [1] in the References.

Prev by Date: Paypal Inc MultiOrderShipping API - Filter Bypass & Persistent XML Vulnerability
Next by Date: Reflected Cross-Site Scripting (XSS) in MaxButtons WordPress Plugin
Previous by thread: Paypal Inc MultiOrderShipping API - Filter Bypass & Persistent XML Vulnerability
Next by thread: Reflected Cross-Site Scripting (XSS) in MaxButtons WordPress Plugin
Index(es):
- Date
- Thread