CVE-2024-3670 in Leaflet Maps Marker Plugin
Summary
by MITRE • 05/02/2024
The Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mapsmarker' shortcode in all versions up to, and including, 3.12.8 due to insufficient input sanitization and output escaping on user supplied attributes such as 'mapwidthunit'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/02/2025
The vulnerability identified as CVE-2024-3670 affects the Leaflet Maps Marker plugin for WordPress, specifically targeting versions up to and including 3.12.8. This plugin enables WordPress sites to display interactive maps using various mapping services including Google Maps, OpenStreetMap, and Bing Maps. The security flaw manifests through the plugin's 'mapsmarker' shortcode implementation where insufficient input sanitization and output escaping mechanisms fail to properly validate user-supplied attributes. Attackers can exploit this weakness by injecting malicious scripts through the 'mapwidthunit' parameter and other similar attributes that are processed within the shortcode functionality.
The technical nature of this vulnerability classifies it as a stored cross-site scripting vulnerability under CWE-079 - Improper Neutralization of Input During Web Page Generation. This designation indicates that the flaw allows attackers to store malicious code within the application's data storage that will later be executed when other users access pages containing the injected content. The vulnerability specifically affects authenticated attackers who possess contributor-level access or higher privileges within the WordPress environment, making it particularly concerning for sites that grant editorial permissions to multiple users. The attack vector leverages the shortcode processing mechanism where user inputs are not adequately sanitized before being rendered in web pages.
From an operational impact perspective, this vulnerability creates significant security risks for WordPress installations using the affected plugin. An attacker with contributor-level access can inject malicious scripts that will execute whenever any user accesses a page containing the compromised shortcode. This means that the malicious code could potentially steal user sessions, perform unauthorized actions on behalf of victims, or redirect users to malicious websites. The stored nature of the vulnerability means that the injected scripts persist in the database and will continue to execute for all users until the malicious content is removed or the plugin is updated. This makes the vulnerability particularly dangerous as it can affect multiple users over extended periods without requiring repeated exploitation attempts.
The mitigation strategy for CVE-2024-3670 involves immediate patching of the affected plugin to version 3.12.9 or later, which includes proper input sanitization and output escaping mechanisms. System administrators should also implement additional security measures such as restricting user permissions to minimize the attack surface, monitoring for unauthorized shortcode usage, and conducting regular security audits of WordPress plugins. The vulnerability aligns with ATT&CK technique T1548.003 - Steal or Forge Authentication Tokens, as it allows attackers to potentially escalate privileges and maintain persistent access through the execution of malicious scripts. Organizations should also consider implementing content security policies and regular vulnerability scanning to detect similar issues in other plugins or themes that may be susceptible to cross-site scripting attacks through insufficient input validation.