WP Go Maps Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode – CVE-2024-3557 | WordPress Plugin Vulnerability Report

Plugin Name: WP Go Maps

Key Information:

  • Software Type: Plugin
  • Software Slug: wp-google-maps
  • Software Status: Active
  • Software Author: wpgmaps
  • Software Downloads: 23,515,825
  • Active Installs: 400,000
  • Last Updated: May 23, 2024
  • Patched Versions: 9.0.37
  • Affected Versions: <= 9.0.36

Vulnerability Details:

  • Name: WP Go Maps (formerly WP Google Maps) <= 9.0.36 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2024-3557
  • CVSS Score: 6.4 (Medium)
  • Publicly Published: May 23, 2024
  • Researcher: Thanh Nam Tran
  • Description: The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpgmza shortcode in all versions up to, and including, 9.0.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Summary:

The WP Go Maps plugin for WordPress has a vulnerability in versions up to and including 9.0.36 that allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts via the plugin's wpgmza shortcode due to insufficient input sanitization and output escaping. This vulnerability has been patched in version 9.0.37.

Detailed Overview:

Thanh Nam Tran discovered a stored cross-site scripting (XSS) vulnerability in the WP Go Maps (formerly WP Google Maps) plugin for WordPress. The vulnerability exists in the plugin's wpgmza shortcode and is due to insufficient input sanitization and output escaping on user-supplied attributes. As a result, authenticated attackers with contributor-level access and above can inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability poses a significant risk as it allows attackers to steal sensitive user information, perform unauthorized actions, or redirect users to malicious websites. The vulnerability has been patched in version 9.0.37.

Advice for Users:

  1. Immediate Action: Update the WP Go Maps plugin to version 9.0.37 or later to ensure your WordPress installation is secure.
  2. Check for Signs of Vulnerability: Review your site's pages and posts for any suspicious or unexpected content that may indicate a compromised site.
  3. Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
  4. Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.

The prompt response from the WP Go Maps developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 9.0.37 or later to secure their WordPress installations.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-google-maps

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-google-maps/wp-go-maps-formerly-wp-google-maps-9036-authenticated-contributor-stored-cross-site-scripting-via-shortcode

Detailed Report:

As a website owner, keeping your WordPress site secure and up-to-date is of utmost importance. Failing to do so can leave your site vulnerable to attacks, compromising your data and potentially harming your users. In this blog post, we'll discuss a recently discovered vulnerability in the popular WP Go Maps plugin and the steps you should take to protect your website.

WP Go Maps Plugin Details

WP Go Maps, formerly known as WP Google Maps, is a widely-used WordPress plugin that allows users to easily add Google Maps to their websites. With over 400,000 active installations and more than 23 million downloads, this plugin is a popular choice among WordPress users.

Vulnerability Details

A severe vulnerability has been discovered in the WP Go Maps plugin, affecting all versions up to and including 9.0.36. The vulnerability, identified as CVE-2024-3557, is a stored cross-site scripting (XSS) flaw that exists in the plugin's wpgmza shortcode. Due to insufficient input sanitization and output escaping on user-supplied attributes, authenticated attackers with contributor-level access and above can inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an injected page.

Risks and Potential Impacts

Exploiting this vulnerability, attackers can steal sensitive user information, perform unauthorized actions, or redirect visitors to malicious websites. This poses a significant risk to the security of your website and the safety of your users. An attacker could use this vulnerability to damage your site's reputation, compromise user data, or perform other malicious activities.

Vulnerability Remediation

To protect your website from this vulnerability, it is crucial that you update the WP Go Maps plugin to version 9.0.37 or later. This patched version addresses the vulnerability and ensures that your site remains secure. If you are unable to update the plugin immediately, consider temporarily disabling it until you can apply the update.

Previous Vulnerabilities

It is worth noting that the WP Go Maps plugin has had a history of security issues. Since October 2014, there have been 15 previously reported vulnerabilities in this plugin. This underscores the importance of regularly updating your plugins and staying informed about potential security risks.

The Importance of Staying Vigilant

As a small business owner, it can be challenging to stay on top of security vulnerabilities and keep your WordPress site updated. However, neglecting these critical tasks can put your website and your business at risk. Regularly updating your plugins, themes, and WordPress core is essential to maintaining a secure online presence.

To help manage your website's security, consider implementing the following best practices:

  1. Enable automatic updates for your WordPress site and plugins
  2. Regularly monitor your site for signs of suspicious activity
  3. Use strong, unique passwords and enable two-factor authentication
  4. Regularly back up your website to ensure you can quickly recover from any potential security incidents

By staying proactive and informed about potential security risks, you can protect your website, your users, and your business from the damaging effects of vulnerabilities like the one found in the WP Go Maps plugin.

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

WP Go Maps Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode – CVE-2024-3557 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment