Lucene search

K
wpvulndbMert UmutWPVDB-ID:AAF91707-F03B-4F25-BCA9-9FAC4945002A
HistoryJan 12, 2024 - 12:00 a.m.

Ultimate Maps by Supsystic < 1.2.16 - Admin+ Stored XSS

2024-01-1200:00:00
Mert Umut
wpscan.com
2
supsystic
ultimate maps
stored xss
admin
cross-site scripting
marker categories
plugin

0.0004 Low

EPSS

Percentile

14.0%

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

PoC

Go to the Marker Categories settings of the plugin (/wp-admin/admin.php?page=ultimate-maps-supsystic&tab;=marker_groups), add/edit a category and put the following payload as a title: text"autofocus/onfocus=alert(1)// The XSS will be triggered when editing the related category again

CPENameOperatorVersion
eq1.2.16

0.0004 Low

EPSS

Percentile

14.0%

Related for WPVDB-ID:AAF91707-F03B-4F25-BCA9-9FAC4945002A