The Google Maps Easy WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/modules/marker_groups/views/tpl/mgrEditMarkerGroup.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.9.33. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.
References
| Link | Resource |
|---|---|
| https://github.com/BigTiger2020/word-press/blob/main/Google%20Maps%20Easy.md | Exploit Third Party Advisory |
| https://plugins.trac.wordpress.org/changeset/2620851/google-maps-easy/trunk/modules/marker_groups/views/tpl/mgrEditMarkerGroup.php | Patch Third Party Advisory |
| https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39346 | Third Party Advisory |
Configurations
History
02 Nov 2021, 19:58
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:supsystic:easy_google_maps:*:*:*:*:*:wordpress:*:* | |
| CVSS |
v2 : v3 : |
v2 : 2.1
v3 : 4.8 |
| References | (MISC) https://plugins.trac.wordpress.org/changeset/2620851/google-maps-easy/trunk/modules/marker_groups/views/tpl/mgrEditMarkerGroup.php - Patch, Third Party Advisory | |
| References | (MISC) https://github.com/BigTiger2020/word-press/blob/main/Google%20Maps%20Easy.md - Exploit, Third Party Advisory | |
| References | (MISC) https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39346 - Third Party Advisory |
01 Nov 2021, 21:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2021-11-01 21:15
Updated : 2024-02-04 22:08
NVD link : CVE-2021-39346
Mitre link : CVE-2021-39346
CVE.ORG link : CVE-2021-39346
JSON object : View
Products Affected
supsystic
- easy_google_maps
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')