Lucene search
WpvulndbWPVDB-ID:DCBE3334-357A-4744-B50C-309D10CCA30DHistoryMay 15, 2023 - 12:00 a.m.
Stop Spammers Security < 2023 - Admin+ Stored XSS
2023-05-1500:00:00
wpscan.com
2
spammers security
plugin
stored xss
vulnerability
admin
high privilege
cross-site scripting
unfiltered_html
capability
multisite setup
poc
payload
challenge & block
response timeout value
protection options
software
0.001 Low
EPSS
Percentile
23.7%
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PoC
Put the payload below in any of the “Challenge & Block” (ie /wp-admin/admin.php?page=ss_challenge) settings, or in the “Response Timeout Value” settings in the “Protection Options” (ie /wp-admin/admin.php?page=ss_options) and save " style=animation-name:rotation onanimationstart=alert(/XSS/)//
| CPE | Name | Operator | Version |
|---|---|---|---|
| stop-spammer-registrations-plugin | lt | 2023 |
Related
wpexploit
wpexploit
Stop Spammers Security < 2023 - Admin+ Stored XSS
2023-05-15 00:00:00
cve
cve
CVE-2023-2489
2023-06-05 14:15:10
prion
prion
Cross site scripting
2023-06-05 14:15:00
cvelist
cvelist
CVE-2023-2489 Stop Spammers Security < 2023 - Admin+ Stored XSS
2023-06-05 13:38:59
nvd
nvd
CVE-2023-2489
2023-06-05 14:15:10
wordfence
wordfence