■ ■ ■ ■ ■ ■
CVEs/2021/CVE-2021-36873.md
| 1 | 1 | | # CVE-2021-36873 |
| 2 | 2 | | |
| 3 | 3 | | ## Description |
| 4 | | - | Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in WordPress iQ Block Country plugin (versions <= 1.2.11). Vulnerable parameter: `&blockcountry_blockmessage`. |
| | 4 | + | Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in WordPress iQ Block Country plugin (versions <= 1.2.11). Vulnerable parameter: &blockcountry_blockmessage. |
| 5 | 5 | | |
| 6 | 6 | | ## CVSS (Vector and Score) |
| 7 | 7 | | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N - 5.5 MEDIUM |
| skipped 9 lines |
| 17 | 17 | | |
| 18 | 18 | | ## Steps to Reproduce |
| 19 | 19 | | 1. Login as administrator |
| 20 | | - | 2. Go to http://localhost/wp-admin/options-general.php?page=iq-block-country%2Flibs%2Fblockcountry-settings.php |
| 21 | | - | 3. Find `Message to display when people are blocked:` form |
| 22 | | - | 4. Input `</textarea><script>alert(1)</script>` |
| 23 | | - | 5. Scroll down and press `Save Changes` button |
| | 20 | + | 2. |
| | 21 | + | |
| 24 | 22 | | |
| 25 | 23 | | ## Proof of Concept |
| | 24 | + | - Image |
| 26 | 25 | | - Video |
| 27 | | - | |
| 28 | | - | > https://youtu.be/WtOiHY5R-t0 |
| 29 | | - | - Image |
| 30 | | - |  |
Muhammad Daffa
committed
1 year ago