Vulnerabilites related to Unknown - WP Go Maps (formerly WP Google Maps)
cve-2023-6627
Vulnerability from cvelistv5
Published
2024-01-08 19:00
Modified
2024-08-02 08:35
Severity ?
Summary
The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.28 does not properly protect most of its REST API routes, which attackers can abuse to store malicious HTML/Javascript on the site.
References
https://wpscan.com/vulnerability/f5687d0e-98ca-4449-98d6-7170c97c8f54exploit, vdb-entry, technical-description
https://wpscan.com/blog/stored-xss-fixed-in-wp-go-maps-9-0-28/technical-description
Impacted products
Vendor Product Version
Unknown WP Go Maps (formerly WP Google Maps) Version: 0   
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T08:35:14.892Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "exploit",
              "vdb-entry",
              "technical-description",
              "x_transferred"
            ],
            "url": "https://wpscan.com/vulnerability/f5687d0e-98ca-4449-98d6-7170c97c8f54"
          },
          {
            "tags": [
              "technical-description",
              "x_transferred"
            ],
            "url": "https://wpscan.com/blog/stored-xss-fixed-in-wp-go-maps-9-0-28/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "product": "WP Go Maps (formerly WP Google Maps)",
          "vendor": "Unknown",
          "versions": [
            {
              "lessThan": "9.0.28",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Marc Montpas"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "WPScan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.28 does not properly protect most of its REST API routes, which attackers can abuse to store malicious HTML/Javascript on the site."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-79 Cross-Site Scripting (XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-08T19:00:30.023Z",
        "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "shortName": "WPScan"
      },
      "references": [
        {
          "tags": [
            "exploit",
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://wpscan.com/vulnerability/f5687d0e-98ca-4449-98d6-7170c97c8f54"
        },
        {
          "tags": [
            "technical-description"
          ],
          "url": "https://wpscan.com/blog/stored-xss-fixed-in-wp-go-maps-9-0-28/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "WP Go Maps \u003c 9.0.28 - Unauthenticated Stored XSS",
      "x_generator": {
        "engine": "WPScan CVE Generator"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
    "assignerShortName": "WPScan",
    "cveId": "CVE-2023-6627",
    "datePublished": "2024-01-08T19:00:30.023Z",
    "dateReserved": "2023-12-08T15:28:39.115Z",
    "dateUpdated": "2024-08-02T08:35:14.892Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}