Stop Spammers Security < 2023 – Admin+ Stored XSS | CVE 2023-2489 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

Put the payload below in any of the "Challenge & Block" (ie /wp-admin/admin.php?page=ss_challenge) settings, or in the "Response Timeout Value" settings in the "Protection Options" (ie /wp-admin/admin.php?page=ss_options) and save

" style=animation-name:rotation onanimationstart=alert(/XSS/)//

Affects Plugins

stop-spammer-registrations-plugin

Fixed in 2023

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

dcbe3334-357a-4744-b50c-309d10cca30d

Timeline

Publicly Published

2023-05-15 (about 1 years ago)

Added

2023-05-15 (about 1 years ago)

Last Updated

2023-05-15 (about 1 years ago)

Other

Published

Title

Published

2023-05-09

Title

GTmetrix for WordPress < 0.4.6 - Reflected Cross-Site Scripting

Published

2023-05-30

Title

AI-Engine < 1.6.83 - Admin+ Stored XSS

Published

2012-08-08

Title

Postie 1.4.3 - Stored Cross-Site Scripting (XSS)

Published

2022-01-05

Title

SupportCandy < 2.2.7 - Reflected Cross-Site Scripting

Published

2024-04-03

Title

WooCommerce Customers Manager < 29.8 - Reflected XSS