WordPress Plugin IP2Location Country Blocker 2.26.7 - Stored Cross Site Scripting (XSS) (Authenticated)

vendor:

IP2Location Country Blocker

by:

Ahmet Serkan Ari

8.8

CVSS

HIGH

Stored Cross Site Scripting (XSS)

CWE

Product Name: IP2Location Country Blocker

Affected Version From: 2.26.7

Affected Version To: 2.26.7

Patch Exists: YES

Related CWE:

CPE: 2.3:a:wordpress:ip2location_country_blocker:2.26.7

Metasploit:

Other Scripts:

Platforms Tested: Linux

2022

WordPress Plugin IP2Location Country Blocker 2.26.7 – Stored Cross Site Scripting (XSS) (Authenticated)

IP2Location Country Blocker is a plugin enables user to block unwanted traffic from accesing Wordpress frontend (blog pages) or backend (admin area) by countries or proxy servers. An authenticated user is able to inject arbitrary Javascript or HTML code to the 'Frontend Settings' interface available in settings page of the plugin (Country Blocker), due to incorrect sanitization of user-supplied data and achieve a Stored Cross-Site Scripting attack against the administrators or the other authenticated users. The plugin versions prior to 2.26.7 are affected by this vulnerability.

Mitigation:

The vulnerability can be mitigated by updating the plugin to the latest version (2.26.7) or later.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin IP2Location Country Blocker 2.26.7 - Stored Cross Site Scripting (XSS) (Authenticated)
# Date: 02-02-2022
# Exploit Author: Ahmet Serkan Ari
# Software Link: https://wordpress.org/plugins/ip2location-country-blocker/
# Version: 2.26.7
# Tested on: Linux
# CVE: N/A
# Thanks: Ceylan Bozogullarindan

# Description:
IP2Location Country Blocker is a plugin enables user to block unwanted traffic from accesing Wordpress frontend (blog pages) or backend (admin area) by countries or proxy servers. It helps to reduce spam and unwanted sign ups easily by preventing unwanted visitors from browsing a particular page or entire website.
An authenticated user is able to inject arbitrary Javascript or HTML code to the "Frontend Settings" interface available in settings page of the plugin (Country Blocker), due to incorrect sanitization of user-supplied data and achieve a Stored Cross-Site Scripting attack against the administrators or the other authenticated users. The plugin versions prior to 2.26.7 are affected by this vulnerability.

The details of the discovery are given below.

# Steps To Reproduce:
1. Install and activate the IP2Location Country Blocker plugin.
2. Visit the "Frontend Settings" interface available in settings page of the plugin that is named "Country Blocker".
3. Check the "Enable Frontend Blocking" option.
4. Choose the "URL" option for the "Display page when visitor is blocked" setting.
5. Type the payload given below to the "URL" input where is in the "Other Settings" area.

http://country-blocker-testing.com/test#"'><script>alert(document.domain)</script>

6. Click the "Save Changes" button.
7. The XSS will be triggered on the settings page when every visit of an authenticated user.