This vulnerability can be exploited by hackers to change the settings of the target application or to steal data by exploiting the user’s trust in the developer of an application.
To avoid these risks, always check the API key of the plugin/theme you are using on the website. Avoid using API keys that are hard to guess or that are related to any personal data. You can also find API keys on the plugin’s page in the ‘About’ section.
What we came across was a plugin named Google Maps, developed by the WP plugin team and available in the plugin repository. This plugin is used to add Google Maps to your site. However, we discovered that the API key for this plugin was not changed and was hard to guess. As a result, hackers were able to easily change the API key in their browser, which changed the settings of the plugin.
Google Maps
One of the most popular plugins for WordPress is Google Maps. This plugin is used on a large number of websites to add a Google Maps application to your site. However, when we changed the API key for this plugin, we discovered that it was possible for hackers to change the settings in their browser and steal data from its victims.
Google Maps API Key Vulnerability
This vulnerability is caused by the lack of changing the API key in the plugin. There are many plugins on WordPress.org that use Google Maps and it is important to keep track of their API keys, as they can be easily changed by hackers. You can find out what an API key looks like from a template in one of your favorite themes or plugins on WordPress.org.
Always check this information before you start using an application in order to avoid any risks that may occur as a result of vulnerabilities such as this one, which could result in your site being hacked and your data being stolen.
Timeline
Published on: 06/15/2022 16:15:00 UTC
Last modified on: 06/27/2022 13:20:00 UTC
References
- https://patchstack.com/database/vulnerability/api-key-for-google-maps/wordpress-api-key-for-google-maps-plugin-1-2-1-csrf-vulnerability-leading-to-google-maps-api-key-update
- https://wordpress.org/plugins/api-key-for-google-maps/#developers
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29453