CVE-2023-3412 in Image Map Pro Plugin
Summary
by MITRE • 06/27/2023
The Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0.0. This is due to a missing capability check on the ajax_store_save() function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify plugin settings and inject malicious web scripts.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/10/2026
The vulnerability identified as CVE-2023-3412 affects the Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite plugin for WordPress, representing a critical security flaw that undermines the platform's integrity. This issue specifically targets versions up to and including 1.0.0, where the plugin fails to implement proper access controls for its ajax_store_save() function. The vulnerability stems from the absence of capability checks that should normally verify user permissions before allowing modifications to plugin configurations. This oversight creates a pathway for malicious actors who possess minimal privileges within the WordPress environment to exploit the system.
The technical implementation of this vulnerability involves a stored cross-site scripting attack vector that occurs through the plugin's ajax_store_save() function. When authenticated users with subscriber-level permissions interact with the plugin's administrative features, they can manipulate the underlying code through specially crafted inputs that get stored within the application's database. This stored payload then executes whenever other users access the affected pages, creating a persistent threat that can propagate throughout the WordPress installation. The flaw directly maps to CWE-79, which classifies stored cross-site scripting vulnerabilities as those where malicious scripts are stored on the server and executed when users access compromised pages.
The operational impact of this vulnerability extends beyond simple script injection, as it allows attackers to potentially escalate their privileges within the WordPress environment. Subscribers who gain access to the plugin's functionality can modify core settings and inject malicious code that could compromise other users or even the entire website. The attack surface is particularly concerning because it requires minimal user permissions to exploit, making it accessible to anyone with basic account access. This vulnerability also aligns with ATT&CK technique T1547.001, which describes the use of privilege escalation through legitimate credentials, as attackers can leverage their subscriber status to gain unauthorized access to plugin management functions.
Mitigation strategies for CVE-2023-3412 should prioritize immediate plugin updates to versions that address the missing capability checks in the ajax_store_save() function. System administrators should implement comprehensive access control policies that limit plugin functionality to users with appropriate administrative privileges. The vulnerability highlights the importance of proper input validation and capability verification within WordPress plugins, particularly those handling user-generated content or configuration modifications. Organizations should conduct thorough security audits of all installed plugins to identify similar missing capability checks, as this represents a common pattern in WordPress plugin vulnerabilities. Additionally, implementing web application firewalls and monitoring for unusual administrative activities can provide early detection of exploitation attempts. The remediation process should include not only updating the vulnerable plugin but also reviewing and hardening the overall WordPress security posture to prevent similar issues in other components of the system.