CVE-2024-5994 in WP Go Maps Plugininfo

Summary

by MITRE • 06/14/2024

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Custom JS option in versions up to, and including, 9.0.38. This makes it possible for authenticated attackers that have been explicitly granted permissions by an administrator, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Version 9.0.39 adds a caution to make administrators aware of the possibility for abuse if permissions are granted to lower-level users.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 03/23/2025

The WP Go Maps plugin for WordPress presents a significant security vulnerability classified as stored cross-site scripting in versions up to and including 9.0.38. This vulnerability specifically affects the Custom JS option functionality within the plugin's administrative interface. The flaw arises from insufficient input validation and output sanitization mechanisms that fail to properly filter malicious script content submitted through the Custom JS field. Attackers with contributor-level permissions or higher can exploit this weakness to inject persistent malicious scripts that will execute whenever any user accesses pages containing the injected content.

The technical implementation of this vulnerability stems from the plugin's failure to properly sanitize user input before storing it in the database and subsequently rendering it in web pages. When administrators grant contributor-level or higher permissions to users who may not fully understand the security implications, these privileged users can leverage the Custom JS functionality to insert malicious JavaScript code. The stored nature of this vulnerability means that the injected scripts persist in the database and execute automatically whenever affected pages are loaded, making the attack vector particularly dangerous for widespread impact.

The operational impact of this vulnerability extends beyond simple script injection as it enables attackers to perform various malicious activities including session hijacking, credential theft, data exfiltration, and redirection to malicious sites. The vulnerability affects all users who access pages containing the stored malicious content, potentially compromising multiple user sessions and system integrity. The security implications are particularly severe when considering that contributor-level users typically have limited administrative privileges but can still execute this attack vector. This represents a privilege escalation vulnerability that undermines the principle of least privilege within WordPress user management systems.

Organizations should immediately update to version 9.0.39 or later which includes a warning mechanism to alert administrators about the potential for abuse when granting permissions to lower-level users. System administrators should conduct comprehensive permission reviews to ensure that only trusted users have contributor-level access or higher. The vulnerability aligns with CWE-79 which describes cross-site scripting flaws, and can be mapped to ATT&CK technique T1548.001 for privilege escalation through the exploitation of user permissions. Additionally, implementing Content Security Policy headers and regular security audits of plugin configurations can provide additional defense-in-depth measures against similar vulnerabilities. The incident highlights the critical importance of input validation and output sanitization in web applications, particularly in content management systems where user permissions can be leveraged for malicious purposes.

Responsible

Wordfence

Disclosure

06/14/2024

Moderation

accepted

CPE

ready

EPSS

0.00367

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!