cbcvebase.
CVE-2019-10692
published 2019-04-02

CVE-2019-10692: In the wp-google-maps plugin before 7.11.18 for WordPress, includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement.

PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
78.70%
99.5th percentile
In the wp-google-maps plugin before 7.11.18 for WordPress, includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement.

Affected

1 ranges
VendorProductVersion rangeFixed in
codecabinwp_go_maps< 7.11.187.11.18

Detection & IOCsextracted from sources · hover to see the quote

url/?rest_route=/wpgmza/v1/markers&filter=%7b%7d&fields=%2a%20from%20wp_users--%20-
url/index.php?rest_route=/wpgmza/v1/markers/&filter=%7B%7D&fields=*+from+wp_users+--+-
path/includes/class.rest-api.php
  • Look for GET requests to the WordPress REST API endpoint /wpgmza/v1/markers with a 'fields' parameter containing SQL injection payloads such as '* from wp_users -- -'
  • A successful exploitation response will contain JSON fields 'user_login', 'user_pass', and 'user_nicename' in the response body with Content-Type application/json and HTTP 200
  • Use Google Dork 'inurl:index.php?rest_route=/wpgmza/' to identify potentially vulnerable WordPress instances exposed on the internet
  • The vulnerability exists in wp-google-maps plugin versions between 7.11.00 and 7.11.17 inclusive; the REST endpoint is unauthenticated and requires no privileges to exploit
  • ·The WordPress database table prefix is configurable by administrators and may not be 'wp_'; the SQL injection payload must be adjusted accordingly (e.g., 'wp_users' may differ)

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.