Login

Tag Archives: WP Google Map Plugin

18 Sep 2019

Our Proactive Monitoring Caught a CSRF/PHP Object Injection Vulnerability in a WordPress Plugin with 100,000+ Installs

One of the ways we help to improve the security of WordPress plugins, not just for the customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Due to recent improvements to that we caught a cross-site request forgery (CSRF)/PHP object injection vulnerability in WP Google Map Plugin, which has 100,000+ installs.

Yesterday when discussing a vulnerability we accidentally ran across we noted that the complicated nature of the code might have help to explain how the security vulnerability came about. That seems like it could also apply to this plugin as well as the code leading to the vulnerability seems overly complicated and critical security code is more complicated than needs to be, while not functioning properly. [Read more]

21 May 2018

Our Plugin Security Checker Found a Reflected XSS Vulnerability in WordPress Plugin with 100,000+ Active Installs

In a reminder of the rather poor state of security of WordPress plugins and how our Plugin Security Checker tool (which is accessible through a WordPress plugin of its own) can help you to get a better idea if they are in need of additional security scrutiny when we ran the plugin WP Google Map Plugin through the tool to check to see if it would have spotted a recently fixed reflected cross-site scripting (XSS) vulnerability in the plugin we found that the plugin still contained another vulnerability of the same type (it also would have identified the possibility of the previous vulnerability if it had been checked).

In the file /core/class.initiate-core.php the function fc_geocoding() outputs the value of the variable $_POST, which contains any POST inputs sent with a request, without escaping that: [Read more]

10 May 2018

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in WP Google Map Plugin

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

[Read more]