CVE-2023-6524 — MapPress WP Plugin <= 2.88.13 Contributor+ Stored Cross-Site Scritpting

The plugin embeds Maps and the location detail (Name and Description). These are not sanitized, causing an XSS vulnerability. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Proof of Concepts

1. Go to Plugin’s page
   /wp-admin/admin.php?page=mappress_maps
2. Add New Map and search any location you want.
3. Add XSS Payload on Location’s detail (Location Name and Description)
   <img src onerror=alert(/XSS/)>
4. Save Maps
5. Copy your created Maps’ shortcode then paste in a new post

XSS Payload will triggered in the created page.

Impact

This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Links

• MapPress Maps for WordPress <= 2.88.16 - Authenticated (Contributor+) Stored Cross-Site Scripting - Wordfence
• CVE-2023-6524 Detail - NIST.GOV