■ ■ ■ ■ ■ ■
CVEs/2021/CVE-2021-36873.md
1 | 1 | | # CVE-2021-36873 |
2 | 2 | | |
3 | 3 | | ## Description |
4 | | - | Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in WordPress iQ Block Country plugin (versions <= 1.2.11). Vulnerable parameter: `&blockcountry_blockmessage`. |
| 4 | + | Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in WordPress iQ Block Country plugin (versions <= 1.2.11). Vulnerable parameter: &blockcountry_blockmessage. |
5 | 5 | | |
6 | 6 | | ## CVSS (Vector and Score) |
7 | 7 | | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N - 5.5 MEDIUM |
| skipped 9 lines |
17 | 17 | | |
18 | 18 | | ## Steps to Reproduce |
19 | 19 | | 1. Login as administrator |
20 | | - | 2. Go to http://localhost/wp-admin/options-general.php?page=iq-block-country%2Flibs%2Fblockcountry-settings.php |
21 | | - | 3. Find `Message to display when people are blocked:` form |
22 | | - | 4. Input `</textarea><script>alert(1)</script>` |
23 | | - | 5. Scroll down and press `Save Changes` button |
| 20 | + | 2. |
| 21 | + | |
24 | 22 | | |
25 | 23 | | ## Proof of Concept |
| 24 | + | - Image |
26 | 25 | | - Video |
27 | | - | |
28 | | - | > https://youtu.be/WtOiHY5R-t0 |
29 | | - | - Image |
30 | | - | ![image](https://user-images.githubusercontent.com/36522826/202700374-52d36350-adff-4fe3-b46d-21f08955e8c6.png) |