Headline
CVE-2023-5315: wpgmappity-metadata.php in wp-gmappity-easy-google-maps/tags/0.6 – WordPress Plugin Repository
The Google Maps made Simple plugin for WordPress is vulnerable to SQL Injection via the plugin’s shortcode in versions up to, and including, 0.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
1<?php23function wpgmappity_insert_meta_data($map) {4 global $wpdb;5 // define json_decode for PHP4 users6 if (!function_exists(‘json_decode’)) {7 function json_decode($content, $assoc=false) {8 require_once wpgmappity_plugin_path().’classes/JSON.phps’;9 if ($assoc) {10 $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE);11 }12 else {13 $json = new Services_JSON;14 }15 return $json->decode($content);16 }17 }18 wpgmappity_db_version();19 // JSON.stringify leaves \’s - remove them for json_decode20 $map = json_decode(stripslashes($map), true);21 $table = $wpdb->prefix . "wpgmappity_maps";22 $query = $wpdb->prepare( "23 INSERT INTO $table24 ( map_length, map_height, map_zoom, center_lat, 25 center_long, map_type, alignment, map_address, map_controls, route, promote, version, scroll )26 VALUES ( %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s )",27 $map[‘map_length’], $map[‘map_height’], $map[‘map_zoom’],28 $map[‘center_lat’], $map[‘center_long’], $map[‘map_type’], 29 $map[‘alignment’], $map[‘map_address’], base64_encode(serialize($map[‘controls’])),30 base64_encode(serialize($map[‘route’])),31 $map[‘promote’], WPGMAPPITY_PLUGIN_CURRENT_DB, $map[‘scroll’] );32 $wpdb->query($query);33 $insert_id = $wpdb->insert_id;34 // markers35 foreach ($map[‘markers’] as $marker) {36 $table = $wpdb->prefix . "wpgmappity_markers";37 $query = $wpdb->prepare( "38 INSERT INTO $table39 ( map_id, marker_lat, marker_long, marker_text, marker_url, marker_image )40 VALUES ( %s, %s, %s, %s, %s, %s )",41 $insert_id, $marker[‘lat’], $marker[‘long’],42 $marker[‘marker_text’], $marker[‘marker_url’], $marker[‘image’] );4344 $wpdb->query($query);45 }46 return $insert_id;47}4849function wpgmappity_update_meta_data($map, $map_id) {50 51 global $wpdb;52 // define json_decode for PHP4 users53 if (!function_exists(‘json_decode’)) {54 function json_decode($content, $assoc=false) {55 require_once wpgmappity_plugin_path().’classes/JSON.phps’;56 if ($assoc) {57 $json = new Services_JSON(SERVICES_JSON_LOOSE_TYPE);58 }59 else {60 $json = new Services_JSON;61 }62 return $json->decode($content);63 }64 }656667 wpgmappity_db_version();68 // JSON.stringify leaves \’s - remove them for json_decode69 $map = json_decode(stripslashes($map), true);70 $table = $wpdb->prefix . "wpgmappity_maps";71 $marker_table = $wpdb->prefix . "wpgmappity_markers";72 //die(var_dump($map));73 $wpdb->update( $table, array( ‘map_length’ => $map[‘map_length’], 74 ‘map_height’ => $map[‘map_height’], 75 ‘map_zoom’ => $map[‘map_zoom’], 76 ‘center_lat’ => $map[‘center_lat’],77 ‘center_long’ => $map[‘center_long’], 78 ‘map_type’ => $map[‘map_type’], 79 ‘alignment’ => $map[‘alignment’],80 ‘map_address’ => $map[‘map_address’], 81 ‘map_controls’ => base64_encode(serialize($map[‘controls’])),82 ‘route’ => base64_encode(serialize($map[‘route’])),83 ‘promote’ => $map[‘promote’], 84 ‘scroll’ => $map[‘scroll’], 85 ‘version’ => $map[‘version’] ),86 array( ‘id’ => $map_id ) );87// delete all old markers88 $query = $wpdb->prepare( “89 DELETE FROM $marker_table90 WHERE map_id = $map_id;”);91 $wpdb->query($query);92 // re-add updated markers93 $i = 0;94 foreach ($map[‘markers’] as $marker) {95 $query = $wpdb->prepare( "96 INSERT INTO $marker_table97 ( map_id, marker_lat, marker_long, marker_text, marker_url, marker_image )98 VALUES ( %s, %s, %s, %s, %s, %s )",99 $map_id, $marker[‘lat’], $marker[‘long’],100 $marker[‘marker_text’], '’, $marker[‘image’] );101 $wpdb->query($query);102 }103 return $map_id; 104}105106function wpgmappity_delete_map_item($map_id) {107 108 global $wpdb;109 $table = $wpdb->prefix . "wpgmappity_maps";110 $marker_table = $wpdb->prefix . "wpgmappity_markers";111 112 $query = $wpdb->prepare( “113 DELETE FROM $table114 WHERE id = $map_id;”);115 $wpdb->query($query);116 117 $query = $wpdb->prepare( “118 DELETE FROM $marker_table119 WHERE map_id = $map_id;”);120 $wpdb->query($query);121 122}123124function wgmappity_get_meta_data($map_id) {125 global $wpdb;126 $table = $wpdb->prefix . "wpgmappity_maps";127 return $wpdb->get_results("SELECT * FROM $table WHERE id = $map_id", ARRAY_A);128129}130?>