10Web Map Builder for Google Maps < 1.0.64 - Unauthenticated Stored XSS via Plugin Settings Change

"The vulnerability in 10Web Map Builder exists in the plugin’s setup process. The plugin’s setup functions are called during admin_init which, like Flexible Checkout Fields, is accessible to unauthenticated users. If an attacker injects malicious JavaScript into certain settings values, that code will execute for administrators in their dashboard as well as front-of-site visitors in some circumstances."

Affects Plugin

fixed in version 1.0.64


URL https://www.wordfence.com/blog/2020/02/site-takeover-campaign-exploits-multiple-zero-day-vulnerabilities/
URL https://plugins.trac.wordpress.org/changeset/2251882/wd-google-maps


Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)


Original Researcher Sean Murphy, QA Lead Matt Rusnak, and QA Engineer Ramuel Gall (Wordfence)
Views 2970
Verified No
WPVDB ID 10099


Publicly Published 2020-02-27 (4 months ago)
Added 2020-02-28 (4 months ago)
Last Updated 2020-02-29 (4 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin