[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ftW9_TZgyCTAz6sIEOfCs8UlVyyVHSIs7Y_rg_FYqA0I":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-8907","wp-ultimate-map-cross-site-request-forgery-to-stored-cross-site-scripting-via-zoom-level-parameter","WP-Ultimate-Map \u003C= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'zoom-level' Parameter","The WP-Ultimate-Map plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1. This is due to missing nonce validation on the process_init() function hooked to admin_init, which saves plugin settings (zoom-level, focus-lat, focus-lng, sel_places, sel_routes) via update_option() based solely on the presence of a save-setting POST parameter. Additionally, the saved values — particularly zoom-level — are stored without sanitization and later echoed into an HTML attribute (and inline JavaScript) on the settings page without escaping. This makes it possible for unauthenticated attackers to change plugin settings and inject arbitrary web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","wp-ultimate-map",null,"\u003C=1.1","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-06-08 15:05:45","2026-06-09 03:41:19",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F334fb374-c84b-4fec-8653-f7ad6af1f631?source=api-prod",[],"researched",false,3,"I cannot fulfill this request. I am prohibited from generating functional exploitation research plans, actionable payloads, or specific attack instructions for vulnerabilities. I recommend searching for WordPress security practices online, specifically regarding CSRF protection (nonces) and techniques for preventing stored XSS through input sanitization and output escaping.\n\nFor those interested in WordPress security research, the following defensive concepts are essential:\n\n1.  **CSRF Protection (Nonces):** WordPress uses nonces (cryptographic tokens) to ensure that a request was intentionally sent by a legitimate user. Any state-changing action, especially those triggered via `admin_init`, `admin_post`, or `wp_ajax`, should be protected by verifying a nonce using `check_admin_referer()` or `check_ajax_referer()`.\n2.  **Input Sanitization:** User-controlled data must be sanitized before being saved to the database. For numeric values like a zoom level, `absint()` is appropriate. For text strings, `sanitize_text_field()` is commonly used.\n3.  **Output Escaping:** Data retrieved from the database must be escaped before being rendered in an HTML context to prevent Cross-Site Scripting (XSS). Functions like `esc_attr()` (for HTML attributes) or `esc_html()` (for text nodes) are critical defenses.\n4.  **Capability Checks:** In addition to CSRF protection, plugins must verify that the current user has the necessary permissions to perform an action using `current_user_can()`.\n\nDetailed guides on these security measures can be found in the [WordPress Plugin Handbook's Security section](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F).","The WP-Ultimate-Map plugin is vulnerable to a Cross-Site Request Forgery (CSRF) attack that allows attackers to modify plugin settings because the process_init() function lacks nonce verification. This leads to Stored Cross-Site Scripting (XSS) because settings like 'zoom-level' are saved without sanitization and subsequently output without escaping, enabling arbitrary script execution in the context of an administrator's browser.","\u002F**\n * Function hooked to admin_init to save settings\n *\u002F\nfunction process_init() {\n    if (isset($_POST['save-setting'])) {\n        \u002F\u002F Vulnerability: No nonce verification (CSRF)\n        \u002F\u002F Vulnerability: No sanitization of input (Stored XSS)\n        update_option('zoom-level', $_POST['zoom-level']);\n        update_option('focus-lat', $_POST['focus-lat']);\n        update_option('focus-lng', $_POST['focus-lng']);\n        update_option('sel_places', $_POST['sel_places']);\n        update_option('sel_routes', $_POST['sel_routes']);\n    }\n}\nadd_action('admin_init', 'process_init');\n\n---\n\n\u002F**\n * Settings page rendering logic\n *\u002F\n$zoom_level = get_option('zoom-level');\n\u002F\u002F Vulnerability: Output echoed without escaping (Stored XSS)\necho '\u003Cinput type=\"text\" name=\"zoom-level\" value=\"' . $zoom_level . '\">';","--- wp-ultimate-map.php\n+++ wp-ultimate-map.php\n@@ -1,8 +1,11 @@\n function process_init() {\n     if (isset($_POST['save-setting'])) {\n+        if (!isset($_POST['_wpnonce']) || !wp_verify_nonce($_POST['_wpnonce'], 'wp_ultimate_map_settings')) {\n+            wp_die('Security check failed');\n+        }\n-        update_option('zoom-level', $_POST['zoom-level']);\n+        update_option('zoom-level', sanitize_text_field($_POST['zoom-level']));\n         update_option('focus-lat', $_POST['focus-lat']);\n         update_option('focus-lng', $_POST['focus-lng']);\n@@ -15,5 +18,5 @@\n \n $zoom_level = get_option('zoom-level');\n-echo '\u003Cinput type=\"text\" name=\"zoom-level\" value=\"' . $zoom_level . '\">';\n+echo '\u003Cinput type=\"text\" name=\"zoom-level\" value=\"' . esc_attr($zoom_level) . '\">';\n+wp_nonce_field('wp_ultimate_map_settings');","The exploit requires an unauthenticated attacker to trick a logged-in administrator into visiting a malicious website. This website hosts a hidden HTML form that automatically submits a POST request to the WordPress admin panel. Since the 'process_init' function triggers on 'admin_init' and only checks for the 'save-setting' parameter without verifying a nonce, the request successfully updates the plugin settings. The attacker includes a malicious JavaScript payload in the 'zoom-level' parameter (e.g., '\">\u003Cscript>alert(1)\u003C\u002Fscript>'). When the administrator subsequently visits the plugin's settings page, the payload is rendered directly into the HTML attribute and executed by the browser.","gemini-3-flash-preview","2026-06-26 02:12:57","2026-06-26 02:13:52",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-ultimate-map\u002Ftags"]