MapPress Maps < 2.53.9 - Authenticated Map Creation/Deletion Leading to Stored Cross-Site Scripting (XSS)



Description
Both the Free and Pro versions of this plugin register AJAX actions that call functions which lack capability checks and nonce checks. It is possible for a logged-in attacker with minimal permissions, such as a subscriber, to add a map containing malicious JavaScript to an arbitrary post or page by sending a $_POST request to wp-admin/admin-ajax.php with the action parameter set to mapp_save, the postid parameter set to the post to add the map to, and the map parameter containing JSON data representing the map to be added - specifically, malicious JavaScript can be added to the title and body parameters of a Point of Interest in the saved map, which would be executed whenever a visitor to the site clicked on the Pin denoting that Point of Interest. Alternatively, if the global setting for Show a list of POIs with each map is enabled, then this would cause the JavaScript to be executed immediately upon visiting an
affected post.

Affects Plugin

fixed in version 2.53.9

References

CVE 2020-12077
URL https://www.wordfence.com/blog/2020/04/critical-vulnerabilities-patched-in-mappress-maps-plugin/

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Ramuel Gall (Wordfence)
Submitter Ramuel Gall
Views 1256
Verified No
WPVDB ID 10187

Timeline

Publicly Published 2020-04-23 (about 1 month ago)
Added 2020-04-23 (about 1 month ago)
Last Updated 2020-04-24 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin