CVE-2024-13565 - Exploiting Stored XSS in Simple Map No Api WordPress Plugin (<= v1.9)

TL;DR:
The Simple Map No Api plugin for WordPress, up to and including version 1.9, has a dangerous vulnerability. If you’re letting contributors add content, they can inject malicious scripts into your site using a weak spot in the map shortcode’s width parameter. If exploited, anything from cookie theft to site takeover is possible.

This post simplifies the vulnerability, explains how it works, shows you a proof-of-concept exploit, and links to official advisories. If you’re using this plugin, upgrade or disable it immediately!

What is Simple Map No Api?

Simple Map No Api is a WordPress plugin that helps you show maps on your pages using shortcodes without requiring Google Maps APIs. It’s lightweight and easy to use, so 1,000+ sites rely on it.

What’s CVE-2024-13565?

CVE-2024-13565 is a critical *Stored Cross-Site Scripting (XSS)* vulnerability. Attackers with at least Contributor privileges can inject evil JavaScript into posts or pages by abusing the shortcode’s width attribute. The plugin does not properly sanitize or escape user input for this parameter—it just sticks whatever you give in the final rendered HTML.

References:
- Wordfence Advisory
- WPScan Advisory
- NVD CVE entry

Any site using *Simple Map No Api* version 1.9 or lower.

- Attacker needs at least *Contributor* access—which is not hard to get on multisite, open registration blogs, or compromised accounts.

How does the exploit work?

Scenario:

Attacker logs in as a Contributor.

- Creates a new post or page containing the plugin shortcode, but puts dangerous code in the width parameter.

The plugin code is supposed to look like

// Inside the plugin's main file
$width = $_POST['width']; // comes from shortcode unfiltered!
echo '<div style="width:' . $width . ';">Map here...</div>';

But with no filtering, an attacker can do

[simple-map-no-api width="100%; background: red; ' onmouseover='alert(document.cookie)"]

Which outputs

<div style="width:100%; background: red; ' onmouseover='alert(document.cookie)'>Map here...</div>

When a user hovers over the map, their cookies could leak (or worse).

Proof-of-Concept (PoC) Exploit

STEP 1: Log in as a *Contributor*.

STEP 2: Create a new post with the following content

[simple-map-no-api width="100%; background: red; ' onmouseover='alert(document.domain)"]

What happens next?
Anyone viewing the post triggers the JavaScript. If the attacker uses a more advanced payload, they can hijack sessions, deface content, or add admin users silently.

Patch it!

There may or may not be a fixed release yet—always check the plugin’s page and its changelog.

Deactivate the plugin if a patch isn’t available.

3. Restrict user roles: Lock down who can become Contributors, especially on public or multi-author blogs.

Sanitize input in custom plugins and shortcodes: Always validate and escape attributes!

- See WordPress Data Validation for best practices.

If you must fix the plugin yourself

$width = preg_replace('/[^-9.%]/', '', $_POST['width']); // allow only numbers, dot, percent, etc.
echo '<div style="width:' . esc_attr($width) . ';">Map here...</div>';

This filters out most evil input and safely escapes output.

In conclusion

CVE-2024-13565 isn’t just another line in a vulnerability database. If you run WordPress and use the Simple Map No Api plugin (<= 1.9), attackers can inject JavaScript that stays on your site and targets your visitors or your admin accounts. Take action NOW—update, patch, or remove the plugin before someone else takes control.

More resources

- WPScan Vulnerability Report
- Wordfence Threat Intelligence
- National Vulnerability Database Entry

*Stay safe. More secure WordPress means a safer web for everyone!*

Timeline

Published on: 02/18/2025 05:15:13 UTC
Last modified on: 02/24/2025 14:55:25 UTC