WordPress Plugin Vulnerabilities

Stop Spammers Security < 2023 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

Put the payload below in any of the "Challenge & Block" (ie /wp-admin/admin.php?page=ss_challenge) settings, or in the "Response Timeout Value" settings in the "Protection Options" (ie /wp-admin/admin.php?page=ss_options) and save

" style=animation-name:rotation onanimationstart=alert(/XSS/)//

Affects Plugins

Plugin icon
stop-spammer-registrations-plugin
Fixed in 2023

References

CVE
CVE-2023-2489

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Erwan LR (WPScan)
Verified
Yes
WPVDB ID
dcbe3334-357a-4744-b50c-309d10cca30d

Timeline

Publicly Published
2023-05-15 (about 6 months ago)
Added
2023-05-15 (about 6 months ago)
Last Updated
2023-05-15 (about 6 months ago)

Other

Published
Title
Published
2022-09-23
Title
Popup Maker < 1.16.9 - Contributor+ Stored XSS via Shortcode
Published
2023-07-17
Title
Bubble Menu < 3.0.5 - Admin+ Stored XSS
Published
2021-07-17
Title
iQ Block Country < 1.2.12 - Admin+ Stored Cross-Site Scripting
Published
2018-01-12
Title
Dark Mode <= 1.6 - Stored XSS
Published
2014-08-01
Title
WPtouch 1.9.19.4 - Cross-Site Scripting (XSS)