IP2Location Country Blocker < 2.26.9 – Admin+ Stored Cross-Site Scripting | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

As admin, enable Frontend Blocking and put the following payload in the Display page when visitor is blocked > URL option: " style=animation-name:rotation onanimationstart=alert(/XSS/)//

Affects Plugins

ip2location-country-blocker

Fixed in 2.26.9

References

Exploitdb

URL

https://packetstormsecurity.com/files/#165857/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Ahmet Serkan Ari

Verified

Yes

WPVDB ID

02ff82d1-73f7-415b-b7bd-7097c2cfabd0

Timeline

Publicly Published

2022-02-04 (about 4 years ago)

Added

2022-02-06 (about 4 years ago)

Last Updated

2022-04-13 (about 4 years ago)

Other

Published

Title

Published

2024-05-14

Title

Popup Builder < 1.1.30 - Authenticated (Author+) Stored Cross-Site Scripting

Published

2023-02-22

Title

Accordions < 2.3.1 - Admin+ Stored XSS

Published

2025-01-23

Title

Precious Metals Charts and Widgets for WordPress < 1.2.9 - Authenticated (Contributor+) Stored Cross-site Scripting

Published

2022-02-17

Title

WP Statistics < 13.1.6 - Multiple Unauthenticated Stored Cross-Site Scripting

Published

2025-01-16

Title

WP Login Attempt Log <= 1.3 - Reflected Cross-Site Scripting