CVE-2024-13542
📋 TL;DR
This vulnerability allows authenticated attackers with contributor-level access or higher to inject malicious scripts into WordPress pages using the WP Google Street View plugin's shortcode. The scripts execute whenever users view the compromised pages, enabling session hijacking, defacement, or malware distribution. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- WP Google Street View (with 360° virtual tour) & Google maps + Local SEO plugin for WordPress
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, install backdoors, redirect users to malicious sites, or completely compromise the WordPress site and potentially the server.
Likely Case
Attackers inject malicious JavaScript to steal user session cookies, redirect visitors to phishing pages, or display unwanted advertisements.
If Mitigated
With proper user role management and input validation, impact is limited to defacement or minor content manipulation by trusted users.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once an attacker has contributor privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.4 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WP Google Street View' plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.1.4+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Remove Contributor XSS Capability
allTemporarily remove contributor ability to publish posts/pages until patch applied
Use WordPress role editor plugin or add custom code to functions.php: remove_cap('contributor', 'publish_posts');
Disable Plugin
linuxDeactivate the vulnerable plugin until patched
wp plugin deactivate wp-google-street-view
🧯 If You Can't Patch
- Implement strict user role management - limit contributor accounts to trusted users only
- Add web application firewall (WAF) rules to block XSS payloads in shortcode attributes
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → WP Google Street View version. If version ≤1.1.3, vulnerable.Check Version:
wp plugin list --name='wp-google-street-view' --field=versionVerify Fix Applied:
Confirm plugin version is 1.1.4 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual post/page edits by contributor users
- wpgsv shortcode with suspicious attribute values in post content
Network Indicators:
- Outbound connections to unknown domains from WordPress pages
- JavaScript loading from unexpected sources
SIEM Query:
source="wordpress.log" AND ("wpgsv" OR "shortcode") AND ("script" OR "javascript" OR "onclick" OR "onload")