Themify Maps Pro – Stored cross-site script vulnerability

Daniel Compton of BSI Cybersecurity and Information Resilience (formerly Info-Assure Ltd) discovered a high risk security vulnerability within the Maps Pro WordPress plugin.

As part of our responsible disclosure program, we will not release any information until the vendor has patched the vulnerability. Once the vulnerability has been patched we will not disclose the exact details or exploitation methods for the vulnerability for 3 months. This gives all users of the product sufficient time to ensure they have updated their products and are protected against the issue.

Vulnerability type: Stored cross-site scripting

Vendor: Themify.me

Vulnerable product version: Maps Pro 1.0.0

Fixed product version: Maps Pro 1.0.1

Vendor Patch Release: http://themify.me/changelogs/builder-maps-pro.txt

Discovered: 12/01/2015

Reported: 12/01/2015

Vendor fixed: 12/01/2015

Partial disclosure: 14/01/2015

Full disclosure: tba.