Stored XSS Vulnerability in WP Baidu Map Plugin
CVE-2024-9886

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: WP Baidu Map
Vendor: CVE Published:; 30 October 2024

Summary

The WP Baidu Map plugin for WordPress exhibits a vulnerability that allows for Stored Cross-Site Scripting (XSS) due to inadequate input validation and output escaping of user-supplied attributes through the 'baidu_map' shortcode. This security flaw permits authenticated attackers with at least contributor-level access to infuse arbitrary web scripts into web pages. When users access these compromised pages, the injected scripts execute, posing significant risks to site integrity and user data. It is crucial for WordPress administrators and site owners to ensure their plugins are up-to-date and follow security best practices to mitigate such vulnerabilities.

Affected Version(s)

WP Baidu Map * <= 1.2.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-baidu-map/t...

https://wordpress.org/plugins/wp-baidu-map/

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Oct 30, 2024
Vulnerability Reserved
Oct 11, 2024

Credit

Youcef Hamdani