WP Google Map < 1.7.7 – Authenticated Stored Cross-Site Scripting (XSS) | CVE 2021-24502

Description

The plugin did not sanitise or escape the Map Title before outputting them in the page, leading to a Stored Cross-Site Scripting issue by high privilege users, even when the unfiltered_html capability is disallowed

Proof of Concept

Create a new map.
Add an XSS payload to the title.
Click "Show as map title".
Add the map to a page or post with the shortcode.

Affects Plugins

gmap-embed

Fixed in 1.7.7

References

CVE

CVE-2021-24502

URL

https://drive.google.com/file/d/1CbBlsf0Vt1QLBTnSC-vod2UCMm_NnZ2p/view?usp=sharing

URL

https://plugins.trac.wordpress.org/changeset/2560064/gmap-embed

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

3.5 (low)

Miscellaneous

Original Researcher

Pratik Khalane

Submitter

Pratik Khalane

Verified

WPVDB ID

f95c3a48-5228-4047-9b92-de985741d157

Timeline

Publicly Published

2021-07-01 (about 2 years ago)

Added

2021-07-12 (about 2 years ago)

Last Updated

2022-04-12 (about 2 years ago)

Other

Published

Title

Published

2024-04-22

Title

Image Slider < 1.1.127 - Authenticated (Editor+) Stored Cross-Site Scripting

Published

2020-04-20

Title

GTranslate < 2.8.52 - Unauthenticated Reflected Cross Site Scripting (XSS)

Published

2023-03-27

Title

Newsletter < 7.6.9 - Reflected XSS

Published

2023-09-01

Title

HollerBox < 2.3.3 - Admin+ Stored XSS

Published

2016-08-02

Title

WangGuard <= 1.7.1 - Cross-Site Scripting (XSS)