Description

The WP Go Maps formerly WP Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Custom JS option in versions up to, and including, 9.0.38. This makes it possible for authenticated attackers that have been explicitly granted permissions by an administrator, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Version 9.0.39 adds a caution to make administrators aware of the possibility for abuse if permissions are granted to lower-level users.

Classification

Assigner:

CWE:

Links
CPEs
  • wp_go_maps wp_google_maps 9.0.38
  • wp_go_maps wp_google_maps 9.0.39

CVSS

CVSS version: 3.1 Base score: 6.4
Base severity: MEDIUM Vector: AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Exploitability score: 3.1 Impact score: 2.7

Can you explain the CVE description?

This Common Vulnerabilities and Exposures (CVE) description is for a vulnerability identified as CVE-2024-5994 in the WP Go Maps plugin for WordPress. The vulnerability is a Stored Cross-Site Scripting (XSS) issue that exists in versions up to and including 9.0.38 of the plugin. This vulnerability allows authenticated attackers with contributor-level permissions or higher, who have been explicitly granted permissions by an administrator, to inject malicious scripts into pages that will execute when a user accesses the affected page. The impact of this vulnerability is rated as medium with a CVSS score of 6.4. The vulnerability was published on June 14, 2024, and the latest modification date was also on the same day. The exploitability score is 3.1 and the impact score is 2.7. Version 9.0.39 of the WP Go Maps plugin has been released to address this issue by adding a caution to make administrators aware of the potential abuse if permissions are granted to lower-level users. For more information and resources related to this vulnerability, you can refer to the provided URLs.

How can this vulnerability be part of an attack tree?

This vulnerability can be part of an attack tree by allowing authenticated attackers with contributor-level permissions or above to inject arbitrary web scripts into pages using the Custom JS option in the WP Go Maps plugin for WordPress. An attacker could exploit this vulnerability to execute malicious scripts whenever a user accesses a page where the script has been injected. This could lead to various malicious activities such as stealing sensitive information, redirecting users to malicious websites, or performing actions on behalf of the user without their consent. By exploiting this vulnerability, an attacker could escalate their privileges and gain further access to the WordPress site, potentially leading to a full compromise of the website and its data.


Generated on: 2024-07-01