WP Go Maps Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode – CVE-2024-3557 | WordPress Plugin Vulnerability Report
Plugin Name: WP Go Maps
Key Information:
- Software Type: Plugin
- Software Slug: wp-google-maps
- Software Status: Active
- Software Author: wpgmaps
- Software Downloads: 23,515,825
- Active Installs: 400,000
- Last Updated: May 23, 2024
- Patched Versions: 9.0.37
- Affected Versions: <= 9.0.36
Vulnerability Details:
- Name: WP Go Maps (formerly WP Google Maps) <= 9.0.36 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
- Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE: CVE-2024-3557
- CVSS Score: 6.4 (Medium)
- Publicly Published: May 23, 2024
- Researcher: Thanh Nam Tran
- Description: The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpgmza shortcode in all versions up to, and including, 9.0.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Summary:
The WP Go Maps plugin for WordPress has a vulnerability in versions up to and including 9.0.36 that allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts via the plugin's wpgmza shortcode due to insufficient input sanitization and output escaping. This vulnerability has been patched in version 9.0.37.
Detailed Overview:
Thanh Nam Tran discovered a stored cross-site scripting (XSS) vulnerability in the WP Go Maps (formerly WP Google Maps) plugin for WordPress. The vulnerability exists in the plugin's wpgmza shortcode and is due to insufficient input sanitization and output escaping on user-supplied attributes. As a result, authenticated attackers with contributor-level access and above can inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability poses a significant risk as it allows attackers to steal sensitive user information, perform unauthorized actions, or redirect users to malicious websites. The vulnerability has been patched in version 9.0.37.
Advice for Users:
- Immediate Action: Update the WP Go Maps plugin to version 9.0.37 or later to ensure your WordPress installation is secure.
- Check for Signs of Vulnerability: Review your site's pages and posts for any suspicious or unexpected content that may indicate a compromised site.
- Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
- Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.
The prompt response from the WP Go Maps developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 9.0.37 or later to secure their WordPress installations.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-google-maps
Detailed Report:
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.