April 23

Critical Vulnerabilities Patched within MapPress Maps Plugin

WordPress Vulnerabilities

0  comments

This post was originally published on this site

On April 1, 2020, the Wordfence Risk Intelligence Group discovered two vulnerabilities within MapPress Maps for WordPress, the WordPress plugin with more than 80,000 installations. One vulnerability that allowed kept Cross-Web site Scripting (XSS) was within both free and pro variations of the plugin, while an even more essential vulnerability that allowed Remote control Program code Execution (RCE) was within the pro edition.

We reached away to the plugin’s author the very next day, April 2, 2020 and received a reply within a few hrs. A patched edition of both MapPress Totally free and MapPress Professional were released within hrs. We strongly suggest updating both free and pro variations to the most recent version, 2.54.2, as quickly as possible.

Wordfence Premium customers received a fresh firewall principle on April 2, 2020 to safeguard against exploits targeting these vulnerabilities. Wordfence users nevertheless using the free edition will have the rule after four weeks on, may 2, 2020.


Explanation: Authenticated Map Development/Deletion Resulting in Stored Cross-Web site Scripting (XSS)
Affected Plugin: MapPress Maps for WordPress
Plugin Slug: mappress-google-maps-for-wordpress
Affected Versions:
CVE ID: CVE-2020-12077
CVSS Score: 6.5(Medium)
CVSS Vector
:
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/The:L
Fully Patched Version: 2.53.9

MapPress Maps for WordPress allows online marketers to include custom maps on the site, using both Search engines Maps API and the open-source Leaflet motor. Both free and pro variations of the plugin registered AJAX activities that called features lacking ability checks and nonce checks. The impacted AJAX hooks:

add_motion('wp_ajax_mapp_delete', array(__Course__, 'ajax_delete'));
add_actions('wp_ajax_mapp_conserve', array(__Course__, 'ajax_save'));

As this kind of, it was easy for a logged-in attacker with reduced permissions, like a subscriber, to include a map containing malicious JavaScript to a good arbitrary post or web page by sending a $_POST demand to wp-admin/admin-ajax.php with the activity parameter arranged to mapp_conserve, the postid parameter established to the write-up to include the map to, and the map parameter containing JSON information representing the map to become added. Malicious JavaScript could possibly be put into the title and body parameters of a “Point of Curiosity” in the preserved map, which may be executed every time a visitor to the website clicked on the mapping pin denoting that time of Interest (POI). On the other hand, if the worldwide setting for “Display a listing of POIs with every map” was allowed, the JavaScript will be executed instantly upon visiting a full page having an impacted map.

This vulnerability could redirect a niche site visitor to a malicious site, as well as use an administrator’s session to dominate the site with the addition of a malicious administrative consumer.

The vulnerable function:

   static perform ajax_save() 
       ob_start();

       $mapdata = (isset($_POST['map'])) ? json_decode(stripslashes($_Write-up['map']), true) : null;
       $postid = (isset($_POST['postid'])) ? $_POST['postid'] : null;

       if (!$mapdata)
           Mappress::ajax_reaction('Internal error, your computer data is not saved!');

       $map = brand new Mappress_Map($mapdata);
       $mapid = $map->conserve($postid);

       if ($mapid === false)
           Mappress::ajax_reaction('Internal error, your computer data is not saved!');

       do_action('mappress_map_conserve', $mapid);     // Use on your own developments

       // Return saved mapid
       Mappress::ajax_response('Okay', array('mapid' => $mapid));
   

Additionally, an attacker could delete a preexisting map simply by sending a $_POST request to wp-admin/admin-ajax.php with the motion parameter fixed to mapp_delete and the mapid parameter of the map to delete. While this might be considerably less impactful, it could be utilized by an attacker to eliminate any of the authentic maps on the webpage, possibly prompting an administrator to research and result in a script inserted right into a malicious map.

The vulnerable function:

   static functionality ajax_delete() 
       ob_start();

       $mapid = (isset($_POST['mapid'])) ? $_POST['mapid'] : null;
       $end result = Mappress_Map::delete($mapid);

       if (!$result)
           Mappress::ajax_response("Internal mistake when deleting map ID '$mapid'!");

       do_actions('mappress_map_delete', $mapid);   // Use on your own developments
       Mappress::ajax_response('Okay', array('mapid' => $mapid));
   

Explanation: Authenticated Document Upload, Deletion, and Disclosure Resulting in RCE or Web site Reset
Affected Plugin
: MapPress Maps for WordPress
Plugin Slug: mappress-google-maps-for-wordpress
Impacted Versions:
CVE ID: CVE-2020-12077
CVSS Score: 9.9(Critical)
CVSS Vector
: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Fully Patched Edition: 2.53.9

The pro version of the MapPress plugin supplies the capability to create templates controlling how maps are shown. It will save these templates as custom made .php files. Sadly, the plugin registered many AJAX activities that called features without capacity checks or nonce checks:

add_activity('wp_ajax_mapp_tpl_get', array(__Course__, 'ajax_get'));
add_motion('wp_ajax_mapp_tpl_save', array(__Course__, 'ajax_save'));
add_actions('wp_ajax_mapp_tpl_delete', array(__Course__, 'ajax_delete'));

Note that as the names of a few of these functions are usually identical to features in the last vulnerability, they are situated in another document and belong to another class. The document containing this vulnerable program code was present in both free and pro variations of the MapPress plugin, but was only mixed up in pro version.

As like, it was easy for a good authenticated attacker with reduced permissions to upload a good executable PHP file like a backdoor or even webshell. This may easily result in complete site takeover, being an attacker with backdoor gain access to could after that modify any document on the website, upload additional data files, or hook up to the database and put in an administrative consumer.

An attacker could exploit this vulnerability by sending a $_POST demand to wp-admin/admin-ajax.php with the activity parameter collection to mapp_tpl_save, the name parameter place to the bottom name of the document they wished to create, and the content parameter collection to executable PHP program code. This file would after that be created and may end up being executed from the directory of the presently active theme, leading to Remote Program code Execution.

The vulnerable function:

   static functionality ajax_save() 
       $name = (isset($_POST['name'])) ? $_POST['name'] : null;
       $content = (isset($_POST['content material'])) ? stripslashes($_Write-up['content']) : null;
       $filepath = obtain_stylesheet_directory() . '/' . $name . '.php';

       $result = @file_place_contents($filepath, $content);
       if ($result === false)
           Mappress::ajax_response('Not able to save');

       // Return filepath after save
       Mappress::ajax_response('Alright', $filepath);
   

An authenticated attacker may possibly also delete any current PHP document on the webpage by sending a $_POST demand to wp-admin/admin-ajax.php with the motion parameter place to mapp_tpl_delete, and the title parameter collection to the basename of the document to delete.

For illustration, to delete wp-config.php a directory traversal attack could possibly be used, with the name parameter place to ../../../wp-config. This might cause the website to be reset, of which stage an attacker could get control of the website by configuring it from scratch and linking it to a remotely hosted malicious data source.

The vulnerable function:

   static functionality ajax_delete() 
       $name = (isset($_POST['name'])) ? $_POST['name'] : null;
       $filepath = obtain_stylesheet_directory() . '/' . $name . '.php';

       $result = @unlink($filepath);
       if ($result === false)
           Mappress::ajax_response('Not able to delete');

       Mappress::ajax_response('OK');
   

Lastly, an authenticated attacker could view the contents of any kind of existing PHP file on the website simply by sending a $_Have request to wp-admin/admin-ajax.php with the actions parameter collection to mapp_tpl_get, and the title parameter of the document to reveal. For example, to see the contents of wp-config.php, a good attacker could place the name parameter to ../../../../wp-config. This may enable an attacker to look for the site’s data source credentials. If the web site’s data source allowed remote entry, the attacker could then utilize this to include an administrative user or even make any desired adjustments to the data source, up to deleting almost all of the web site’s articles.

The vulnerable function:

   static functionality ajax_get() 
       $name = (isset($_Obtain['name'])) ? $_Obtain['name'] : null;

       $filename = $name . '.php';
       $filepath = obtain_stylesheet_directory() . '/' . $filename;

       $html = @file_obtain_contents($filepath);
       $regular = @file_obtain_contents(Mappress::$basedir . "/templates/$filename");

       if (!$standard)
           Mappress::ajax_reaction('Invalid template');

       $template = brand-new Mappress_Template(array(
           'name' => $name,
           'content' => ($html) ? $html : $standard,
           'path' => $filepath,
           'standard' => $standard,
           'exists' => ($html) ? real : false
       ));

       Mappress::ajax_response('Fine', $template);
   

Disclosure Timeline

April 1, 2020 – Wordfence Threat Cleverness discovers and analyzes vulnerabilities.
April 2, 2020 – Firewall guideline released for Wordfence Superior users. Initial connection with plugin developer. Programmer releases patch prior to the end of day time.
May 2, 2020 – Firewall principle becomes open to Wordfence free customers.

Conclusion

Inside today’s write-up, we detailed 2 vulnerabilities inside the MapPress Maps for WordPress plugin, including a stored Cross-Web site Scripting (XSS) and a far more critical Remote Program code Execution (RCE), Document Disclosure, and Document deletion vulnerability. These vulnerabilities have already been completely patched in edition 2.53.9 and we strongly suggest that all users of the plugin improve to the most recent version available immediately. Websites running Wordfence Premium have already been protected against these vulnerabilities since April 2, 2020. Sites nevertheless running the free edition of Wordfence will have the firewall rule upgrade on, may 1, 2020.

Special because of Chris Richardson, the developer of the MapPress Maps for WordPress plugin, for his extremely fast and expert handling of our disclosure. Patching a vulnerability on a single time the vulnerability disclosure will be received by the programmer is an exemplary reaction.

The post Critical Vulnerabilities Patched in MapPress Maps Plugin appeared first on Wordfence.

About the author 

WP Maintain Support Protect

You may also like

Who Attacked SolarWinds and just why WordPress Users Have to know

Who Attacked SolarWinds and just why WordPress Users Have to know

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

WordPress Hardening: 18 Methods to Harden Security of one’s Website

WordPress Hardening: 18 Methods to Harden Security of one’s Website
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!