WordPress Plugin Vulnerabilities

iQ Block Country < 1.1.20 - Reflected Cross-Site Scripting (XSS)

Description

The iQ Block Country WordPress plugin was affected by an Authenticated Reflected Cross-Site Scripting (XSS) security vulnerability, which could be exploited via a CSRF attack against a logged in administrator.

Proof of Concept

Affects Plugins

Plugin icon
iq-block-country
Fixed in 1.1.20

References

URL
http://cinu.pl/research/wp-plugins/mail_9853820e07651f94256abcd75e8f7e9b.html
URL
http://blog.cinu.pl/2015/11/php-static-code-analysis-vs-top-1000-wordpress-plugins.html

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
9.6 (critical)

Miscellaneous

Submitter
ethicalhack3r
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
8113a201-9318-4d8b-ae7e-ac23ed87b1de

Timeline

Publicly Published
2015-08-24 (about 10 years ago)
Added
2015-11-24 (about 10 years ago)
Last Updated
2021-03-03 (about 5 years ago)

Other

Published
Title
Published
2025-12-15
Title
CC Child Pages < 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'child_pages' Shortcode
Published
2025-04-25
Title
Libro de Reclamaciones <= 1.0.1 - Reflected Cross-Site Scripting
Published
2025-12-31
Title
User Specific Content <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-09-06
Title
Carrot <= 1.1.0 - Admin+ Stored XSS
Published
2022-05-03
Title
Enable SVG < 1.4.0 - Author+ Stored Cross Site Scripting via SVG