Stored Cross-Site Scripting in Leaflet Maps Marker Plugin for WordPress
CVE-2024-3670
6.4MEDIUM
Key Information:
- Vendor
- Wordpress
- Vendor
- CVE Published:
- 2 May 2024
Summary
The Leaflet Maps Marker plugin for WordPress contains a vulnerability that allows authenticated attackers with contributor-level access or higher to perform stored cross-site scripting attacks. This occurs through the plugin's 'mapsmarker' shortcode, which inadequately sanitizes and escapes user-supplied attributes, such as 'mapwidthunit'. As a result, attackers can inject arbitrary web scripts into pages, which will be executed in the browsers of users who visit the compromised pages.
Affected Version(s)
Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) * <= 3.12.8
References
CVSS V3.1
Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Krzysztof Zając