Login
7 Apr 2023

Shortcode Execution Vulnerability in MapSVG

Over at our main business, we were recently cleaning up a hacked WordPress website. As part of that service, we run the plugins being used on the website through the same software we use to do proactive monitoring to catch serious vulnerabilities being introduced in to WordPress plugins. Through that we caught a couple of less serious vulnerabilities in the commercial plugin MapSVG. In line with our reasonable disclosure policy, we are disclosing the vulnerabilities as the developer hasn’t gotten back to us in a week since we notified them of the vulnerabilities (the developer never fixed a vulnerability we discovered in their free MapSVG Lite in 2019).

One of the vulnerabilities allows those not logged in to WordPress to execute WordPress shortcodes (those logged in are allowed to do that by WordPress).

In the file /php/Domain/ShortcodeRender/shortcodes.php, the following code runs when a WordPress page is loaded and executes a shortcode specified by the GET or POST input mapsvg_shortcode_inline:

191
192
193
194
195

if(isset($_GET['mapsvg_shortcode_inline'])){
    $shortcode = wp_strip_all_tags( stripslashes($_REQUEST['mapsvg_shortcode_inline']) );
    echo do_shortcode( $shortcode );
    exit;
}

The code does sanitize the values, which prevents a reflected cross-site scripting (XSS) vulnerability from also existing there.

The file /php/Domain/ShortcodeRender/blank-template.php contains code that executes a shortcode specified by the GET or POST input mapsvg_shortcode_inline without sanitization:

1
2
3

<?php if(isset($_GET['mapsvg_shortcode_inline'])){
  echo do_shortcode($_GET['mapsvg_shortcode_inline']);
}

That code doesn’t appear to run because the other code runs first and stops execution in a situation where the second code would have otherwise run.

Timeline

March 30 – Developer notified.

Proof of Concept

The following proof of concept will cause a specified short code to be executed.

Make sure to replace “[path to WordPress]” with the location of WordPress and [shortcode]” with the shortcode to be executed.

http://[path to WordPress]/?mapsvg_shortcode_inline=[shortcode]

No related posts.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Leave a Reply

Your email address will not be published.