cnvd - cnvd-2023-06868

cnvd-2023-06868

Vulnerability from cnvd

Title: WordPress MapPress Maps plugin跨站脚本漏洞

Description:

WordPress是WordPress（Wordpress）基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。

WordPress MapPress Maps plugin 2.73.4之前版本中存在跨站脚本漏洞，该漏洞源于MapPress Maps插件在输出mapid参数之前并未能对mapid参数进行消毒和转义，攻击者可利用此漏洞导致反射跨站点脚本。

Severity: 中

Patch Name: WordPress MapPress Maps plugin跨站脚本漏洞的补丁

Patch Description:

WordPress是WordPress（Wordpress）基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。

WordPress MapPress Maps plugin 2.73.4之前版本中存在跨站脚本漏洞，该漏洞源于MapPress Maps插件在输出mapid参数之前并未能对mapid参数进行消毒和转义，攻击者可利用此漏洞导致反射跨站点脚本。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://wpscan.com/vulnerability/59a2abd0-4aee-47aa-ad3a-865f624fa0fc

Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-0208

Impacted products

Name
WordPress MapPress Maps plugin <2.73.4

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-0208",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-0208"
    }
  },
  "description": "WordPress\u662fWordPress\uff08Wordpress\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u652f\u6301\u5728PHP\u548cMySQL\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u4e2a\u4eba\u535a\u5ba2\u7f51\u7ad9\u3002\n\nWordPress MapPress Maps plugin 2.73.4\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eMapPress Maps\u63d2\u4ef6\u5728\u8f93\u51famapid\u53c2\u6570\u4e4b\u524d\u5e76\u672a\u80fd\u5bf9mapid\u53c2\u6570\u8fdb\u884c\u6d88\u6bd2\u548c\u8f6c\u4e49\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u5bfc\u81f4\u53cd\u5c04\u8de8\u7ad9\u70b9\u811a\u672c\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://wpscan.com/vulnerability/59a2abd0-4aee-47aa-ad3a-865f624fa0fc",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-06868",
  "openTime": "2023-02-07",
  "patchDescription": "WordPress\u662fWordPress\uff08Wordpress\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u4f7f\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u535a\u5ba2\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u652f\u6301\u5728PHP\u548cMySQL\u7684\u670d\u52a1\u5668\u4e0a\u67b6\u8bbe\u4e2a\u4eba\u535a\u5ba2\u7f51\u7ad9\u3002\r\n\r\nWordPress MapPress Maps plugin 2.73.4\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eMapPress Maps\u63d2\u4ef6\u5728\u8f93\u51famapid\u53c2\u6570\u4e4b\u524d\u5e76\u672a\u80fd\u5bf9mapid\u53c2\u6570\u8fdb\u884c\u6d88\u6bd2\u548c\u8f6c\u4e49\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u5bfc\u81f4\u53cd\u5c04\u8de8\u7ad9\u70b9\u811a\u672c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "WordPress MapPress Maps plugin\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "WordPress MapPress Maps plugin \u003c2.73.4"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-0208",
  "serverity": "\u4e2d",
  "submitTime": "2022-02-16",
  "title": "WordPress MapPress Maps plugin\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2022-0208 (GCVE-0-2022-0208)

Vulnerability from cvelistv5

Published

2022-02-14 09:21

Modified

2024-08-02 23:18

Severity ?

CWE

CWE-79 - Cross-site Scripting (XSS)

Summary

The MapPress Maps for WordPress plugin before 2.73.4 does not sanitise and escape the mapid parameter before outputting it back in the "Bad mapid" error message, leading to a Reflected Cross-Site Scripting

References

▼	URL	Tags
	https://wpscan.com/vulnerability/59a2abd0-4aee-47aa-ad3a-865f624fa0fc	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Unknown	MapPress Maps for WordPress	Version: 2.73.4 < 2.73.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:18:42.553Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wpscan.com/vulnerability/59a2abd0-4aee-47aa-ad3a-865f624fa0fc"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "MapPress Maps for WordPress",
          "vendor": "Unknown",
          "versions": [
            {
              "lessThan": "2.73.4",
              "status": "affected",
              "version": "2.73.4",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Krzysztof Zaj\u0105c"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The MapPress Maps for WordPress plugin before 2.73.4 does not sanitise and escape the mapid parameter before outputting it back in the \"Bad mapid\" error message, leading to a Reflected Cross-Site Scripting"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Cross-site Scripting (XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-14T09:21:07",
        "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "shortName": "WPScan"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wpscan.com/vulnerability/59a2abd0-4aee-47aa-ad3a-865f624fa0fc"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "MapPress Maps for WordPress \u003c 2.73.4 - Reflected Cross-Site scripting",
      "x_generator": "WPScan CVE Generator",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "contact@wpscan.com",
          "ID": "CVE-2022-0208",
          "STATE": "PUBLIC",
          "TITLE": "MapPress Maps for WordPress \u003c 2.73.4 - Reflected Cross-Site scripting"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "MapPress Maps for WordPress",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "2.73.4",
                            "version_value": "2.73.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Unknown"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Krzysztof Zaj\u0105c"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The MapPress Maps for WordPress plugin before 2.73.4 does not sanitise and escape the mapid parameter before outputting it back in the \"Bad mapid\" error message, leading to a Reflected Cross-Site Scripting"
            }
          ]
        },
        "generator": "WPScan CVE Generator",
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79 Cross-site Scripting (XSS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wpscan.com/vulnerability/59a2abd0-4aee-47aa-ad3a-865f624fa0fc",
              "refsource": "MISC",
              "url": "https://wpscan.com/vulnerability/59a2abd0-4aee-47aa-ad3a-865f624fa0fc"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
    "assignerShortName": "WPScan",
    "cveId": "CVE-2022-0208",
    "datePublished": "2022-02-14T09:21:07",
    "dateReserved": "2022-01-12T00:00:00",
    "dateUpdated": "2024-08-02T23:18:42.553Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted