WP Google Map < 1.7.7 - Authenticated Stored Cross-Site Scripting (XSS)

2021-07-01T00:00:00
ID WPEX-ID:F95C3A48-5228-4047-9B92-DE985741D157
Type wpexploit
Reporter Pratik Khalane
Modified 2021-08-10T07:19:13

Description

The plugin did not sanitise or escape the Map Title before outputting them in the page, leading to a Stored Cross-Site Scripting issue by high privilege users, even when the unfiltered_html capability is disallowed

                                        
                                            Create a new map.
Add an XSS payload to the title.
Click "Show as map title".
Add the map to a page or post with the shortcode.