WordPress Snazzy Maps 1.1.3 Cross Site Scripting Vulnerability

2018-07-27
ID: 98708
CVE: None
Download vulnerable application: None
Advisory Title: WordPress Snazzy Maps Plugin Multiple XSS
 Vulnerabilities
Advisory URL:   http://www.defensecode.com/advisories.php
Software:       WordPress Snazzy Maps plugin
Language:       PHP
Version:        1.1.3 and below
Vendor Status:  Vendor contacted, no response
Release Date:   2018/07/24
Risk:           Medium
   1. General Overview
===================
During the security audit of Snazzy Maps plugin for WordPress CMS,
multiple Cross-Site Scripting (XSS) vulnerabilities were discovered
using DefenseCode ThunderScan application source code security
analysis platform.
 More information about ThunderScan is available at URL:
http://www.defensecode.com
  2. Software Overview
====================
According to the plugin developers, Snazzy Maps can apply styles to
your Google Maps with the official Snazzy Maps WordPress plugin.
 According to wordpress.org, it has more than 60,000 active installs.
 Homepage:
https://wordpress.org/plugins/snazzy-maps/
  3. Vulnerability Description
============================
During the security analysis, ThunderScan discovered
multiple Cross-Site Scripting vulnerabilities in Snazzy Maps
WordPress plugin.
 The Cross-Site Scripting vulnerability can enable the attacker to
construct the URL that contains malicious JavaScript code. If the
administrator of the site makes a request to such an URL, the
attacker's code will be executed, with unrestricted access to the
WordPress site in question. The attacker can entice the administrator
to visit the URL in various ways, including sending the URL by email,
posting it as a part of the comment on the vulnerable site or another
forum.
 3.1 Cross-Site Scripting
  Vulnerable Function:  echo()
  Vulnerable Variable:  $_GET['text']
  Vulnerable URL:
http://vulnerablesite.com/wp-admin/themes.php?page=snazzy_maps&tab=1&text="></script><script>alert(42)</script>
  File:                 snazzy-maps/admin/explore.php
  ---------
  28 $text = isset($_GET['text']) ? $_GET['text'] : '';
  ...
  34 <input name="text" type="text" placeholder="Search..."
value="<?php echo $text ?>"/>
  ---------
 3.2 Cross-Site Scripting
  Vulnerable Function:  echo()
  Vulnerable Variable:  $_GET['tab']
  Vulnerable URL:
http://vulnerablesite.com/wp-admin/themes.php?page=snazzy_maps&tab=1"></script><script>alert(42)</script>
  File:                 snazzy-maps/admin/index.php
  ---------
  69 $active_tab = isset($_GET['tab']) ? $_GET['tab'] : '0';
  ...
  98 <a href="?page=snazzy_maps&tab=<?php echo $active_tab;
?>&welcome=hide" class="welcome-panel-close">Dismiss</a>
  ---------
  4. Solution
===========
All users are strongly advised to update WordPress Snazzy Maps plugin
to the latest available version as soon as the vendor releases an
update that fixes the vulnerabilities.
1-4-2 (www02)