CVE-2021-36870 - Vulnerability Details - OpenCVE

Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities in WordPress WP Google Maps plugin (versions <= 8.1.12). Vulnerable parameters: &dataset_name, &wpgmza_gdpr_retention_purpose, &wpgmza_gdpr_company_name, &name #2, &name, &polyname #2, &polyname, &address.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00204.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Codecabin	Wp Go Maps

Configuration 1 [-]

cpe:2.3:a:codecabin:wp_go_maps:*:*:*:*:*:wordpress:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-23446	Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities in WordPress WP Google Maps plugin (versions <= 8.1.12). Vulnerable parameters: &dataset_name, &wpgmza_gdpr_retention_purpose, &wpgmza_gdpr_company_name, &name #2, &name, &polyname #2, &polyname, &address.

Fixes

Solution

Update to the 8.1.13 version.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://patchstack.com/database/vulnerability/wp-google-maps/wordpress-wp-google-maps-plugin-8-1-12-multiple-authenticated-persistent-cross-site-scripting-xss-vulnerabilities
https://wordpress.org/plugins/wp-google-maps/#developers

History

Tue, 22 Oct 2024 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2021-09-09T11:18:20.862719Z

Updated: 2024-10-22T19:36:38.285Z

Reserved: 2021-07-19T00:00:00

Link: CVE-2021-36870

Vulnrichment

Updated: 2024-08-04T01:01:59.812Z

NVD

Status : Modified

Published: 2021-09-09T12:15:09.070

Modified: 2024-11-21T06:14:13.490

Link: CVE-2021-36870

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "WP Google Maps (WordPress plugin)", "vendor": "Code Cabin Inc", "versions": [{"lessThanOrEqual": "8.1.12", "status": "affected", "version": "8.1.12", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Original researcher - Vlad Visse (Patchstack Red Team)"}], "datePublic": "2021-09-08T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities in WordPress WP Google Maps plugin (versions <= 8.1.12). Vulnerable parameters: &dataset_name, &wpgmza_gdpr_retention_purpose, &wpgmza_gdpr_company_name, &name #2, &name, &polyname #2, &polyname, &address."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-09-09T11:18:20", "orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://wordpress.org/plugins/wp-google-maps/#developers"}, {"tags": ["x_refsource_MISC"], "url": "https://patchstack.com/database/vulnerability/wp-google-maps/wordpress-wp-google-maps-plugin-8-1-12-multiple-authenticated-persistent-cross-site-scripting-xss-vulnerabilities"}], "solutions": [{"lang": "en", "value": "Update to the 8.1.13 version."}], "source": {"discovery": "EXTERNAL"}, "title": "WordPress WP Google Maps plugin <= 8.1.12 - Multiple Authenticated Persistent XSS vulnerabilities", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "audit@patchstack.com", "DATE_PUBLIC": "2021-09-08T10:12:00.000Z", "ID": "CVE-2021-36870", "STATE": "PUBLIC", "TITLE": "WordPress WP Google Maps plugin <= 8.1.12 - Multiple Authenticated Persistent XSS vulnerabilities"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "WP Google Maps (WordPress plugin)", "version": {"version_data": [{"version_affected": "<=", "version_name": "8.1.12", "version_value": "8.1.12"}]}}]}, "vendor_name": "Code Cabin Inc"}]}}, "credit": [{"lang": "eng", "value": "Original researcher - Vlad Visse (Patchstack Red Team)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities in WordPress WP Google Maps plugin (versions <= 8.1.12). Vulnerable parameters: &dataset_name, &wpgmza_gdpr_retention_purpose, &wpgmza_gdpr_company_name, &name #2, &name, &polyname #2, &polyname, &address."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "references": {"reference_data": [{"name": "https://wordpress.org/plugins/wp-google-maps/#developers", "refsource": "CONFIRM", "url": "https://wordpress.org/plugins/wp-google-maps/#developers"}, {"name": "https://patchstack.com/database/vulnerability/wp-google-maps/wordpress-wp-google-maps-plugin-8-1-12-multiple-authenticated-persistent-cross-site-scripting-xss-vulnerabilities", "refsource": "MISC", "url": "https://patchstack.com/database/vulnerability/wp-google-maps/wordpress-wp-google-maps-plugin-8-1-12-multiple-authenticated-persistent-cross-site-scripting-xss-vulnerabilities"}]}, "solution": [{"lang": "en", "value": "Update to the 8.1.13 version."}], "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:01:59.812Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://wordpress.org/plugins/wp-google-maps/#developers"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://patchstack.com/database/vulnerability/wp-google-maps/wordpress-wp-google-maps-plugin-8-1-12-multiple-authenticated-persistent-cross-site-scripting-xss-vulnerabilities"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-22T19:31:20.569875Z", "id": "CVE-2021-36870", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T19:36:38.285Z"}}]}, "cveMetadata": {"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "assignerShortName": "Patchstack", "cveId": "CVE-2021-36870", "datePublished": "2021-09-09T11:18:20.862719Z", "dateReserved": "2021-07-19T00:00:00", "dateUpdated": "2024-10-22T19:36:38.285Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://wordpress.org/plugins/wp-google-maps/#developers", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://patchstack.com/database/vulnerability/wp-google-maps/wordpress-wp-google-maps-plugin-8-1-12-multiple-authenticated-persistent-cross-site-scripting-xss-vulnerabilities", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:01:59.812Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-36870", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-22T19:31:20.569875Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T19:32:19.896Z"}}], "cna": {"title": "WordPress WP Google Maps plugin <= 8.1.12 - Multiple Authenticated Persistent XSS vulnerabilities", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "Original researcher - Vlad Visse (Patchstack Red Team)"}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Code Cabin Inc", "product": "WP Google Maps (WordPress plugin)", "versions": [{"status": "affected", "version": "8.1.12", "versionType": "custom", "lessThanOrEqual": "8.1.12"}]}], "solutions": [{"lang": "en", "value": "Update to the 8.1.13 version."}], "datePublic": "2021-09-08T00:00:00", "references": [{"url": "https://wordpress.org/plugins/wp-google-maps/#developers", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://patchstack.com/database/vulnerability/wp-google-maps/wordpress-wp-google-maps-plugin-8-1-12-multiple-authenticated-persistent-cross-site-scripting-xss-vulnerabilities", "tags": ["x_refsource_MISC"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities in WordPress WP Google Maps plugin (versions <= 8.1.12). Vulnerable parameters: &dataset_name, &wpgmza_gdpr_retention_purpose, &wpgmza_gdpr_company_name, &name #2, &name, &polyname #2, &polyname, &address."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Cross-site Scripting (XSS)"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2021-09-09T11:18:20"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "Original researcher - Vlad Visse (Patchstack Red Team)"}], "impact": {"cvss": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, "source": {"discovery": "EXTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_name": "8.1.12", "version_value": "8.1.12", "version_affected": "<="}]}, "product_name": "WP Google Maps (WordPress plugin)"}]}, "vendor_name": "Code Cabin Inc"}]}}, "solution": [{"lang": "en", "value": "Update to the 8.1.13 version."}], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://wordpress.org/plugins/wp-google-maps/#developers", "name": "https://wordpress.org/plugins/wp-google-maps/#developers", "refsource": "CONFIRM"}, {"url": "https://patchstack.com/database/vulnerability/wp-google-maps/wordpress-wp-google-maps-plugin-8-1-12-multiple-authenticated-persistent-cross-site-scripting-xss-vulnerabilities", "name": "https://patchstack.com/database/vulnerability/wp-google-maps/wordpress-wp-google-maps-plugin-8-1-12-multiple-authenticated-persistent-cross-site-scripting-xss-vulnerabilities", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities in WordPress WP Google Maps plugin (versions <= 8.1.12). Vulnerable parameters: &dataset_name, &wpgmza_gdpr_retention_purpose, &wpgmza_gdpr_company_name, &name #2, &name, &polyname #2, &polyname, &address."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Cross-site Scripting (XSS)"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-36870", "STATE": "PUBLIC", "TITLE": "WordPress WP Google Maps plugin <= 8.1.12 - Multiple Authenticated Persistent XSS vulnerabilities", "ASSIGNER": "audit@patchstack.com", "DATE_PUBLIC": "2021-09-08T10:12:00.000Z"}}}}, "cveMetadata": {"cveId": "CVE-2021-36870", "state": "PUBLISHED", "dateUpdated": "2024-10-22T19:36:38.285Z", "dateReserved": "2021-07-19T00:00:00", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2021-09-09T11:18:20.862719Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:codecabin:wp_go_maps:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "60CDACA5-AB26-4147-95D4-25C57E5743F9", "versionEndIncluding": "8.1.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities in WordPress WP Google Maps plugin (versions <= 8.1.12). Vulnerable parameters: &dataset_name, &wpgmza_gdpr_retention_purpose, &wpgmza_gdpr_company_name, &name #2, &name, &polyname #2, &polyname, &address."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de tipo Cross-Site Scripting (XSS) Persistentes y Autenticadas en el plugin WP Google Maps de WordPress (versiones anteriores a 8.1.12, incluy\u00e9ndola). Par\u00e1metros vulnerables: &dataset_name, &wpgmza_gdpr_retention_purpose, &wpgmza_gdpr_company_name, &name #2, &name, &polyname #2, &polyname, &address"}], "id": "CVE-2021-36870", "lastModified": "2024-11-21T06:14:13.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-09T12:15:09.070", "references": [{"source": "audit@patchstack.com", "tags": ["Third Party Advisory"], "url": "https://patchstack.com/database/vulnerability/wp-google-maps/wordpress-wp-google-maps-plugin-8-1-12-multiple-authenticated-persistent-cross-site-scripting-xss-vulnerabilities"}, {"source": "audit@patchstack.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://wordpress.org/plugins/wp-google-maps/#developers"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://patchstack.com/database/vulnerability/wp-google-maps/wordpress-wp-google-maps-plugin-8-1-12-multiple-authenticated-persistent-cross-site-scripting-xss-vulnerabilities"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://wordpress.org/plugins/wp-google-maps/#developers"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}