10Web Map Builder for Google Maps < 1.0.70 - Authenticated Stored XSS

2021-06-14T00:00:00
ID WPVDB-ID:619EC765-8131-423B-B31E-3626C59AAE49
Type wpvulndb
Reporter wpvulndb
Modified 2021-07-20T15:57:08

Description

The plugin does not validate or escape its MAP API Key, Center Address, Center Lat, Center Lng and Zoom Level settings in the admin dashboard, allowing high privilege users such as admin to use JavaScript payload in them, leading to Stored Cross-Site Scripting issues even when the unfiltered_html capability is disallowed Timeline (WPScanTeam) June 29th, 2021 - Details sent to vendor June 30th, 2021 - Vendor said they are aware of the report and working on a patch July 3rd, 2021 - v1.0.69 released, issues still present July 14th, 2021 - Disclosure July 20th, 2021 - v1.0.70 released, fixing the issue

PoC

Add the payload below in the Map API Key, Center Address, Center Lat, Center Lng or Zoom Level settings (at /wp-admin/admin.php?page=options_gmwd) " style=animation-name:rotation onanimationstart=alert(/XSS/)//