■ ■ ■ ■ ■ ■
CVEs/2021/CVE-2021-36873.md
| 1 | 1 | | # CVE-2021-36873 |
| 2 | 2 | | |
| 3 | 3 | | ## Description |
| 4 | | - | Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in WordPress iQ Block Country plugin (versions <= 1.2.11). Vulnerable parameter: &blockcountry_blockmessage. |
| | 4 | + | Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in WordPress iQ Block Country plugin (versions <= 1.2.11). Vulnerable parameter: `&blockcountry_blockmessage`. |
| 5 | 5 | | |
| 6 | 6 | | ## CVSS (Vector and Score) |
| 7 | 7 | | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N - 5.5 MEDIUM |
| skipped 9 lines |
| 17 | 17 | | |
| 18 | 18 | | ## Steps to Reproduce |
| 19 | 19 | | 1. Login as administrator |
| 20 | | - | 2. |
| | 20 | + | 2. Go to http://localhost/wp-admin/options-general.php?page=iq-block-country%2Flibs%2Fblockcountry-settings.php |
| | 21 | + | 3. Find `Message to display when people are blocked:` form |
| | 22 | + | 4. Input `</textarea><script>alert(1)</script>` |
| | 23 | + | 5. Scroll down and press `Save Changes` button |
| | 24 | + | |
| | 25 | + | ## Proof of Concept |
| | 26 | + | - Video |
| 21 | 27 | | |
| | 28 | + | > https://youtu.be/WtOiHY5R-t0 |
| 22 | 29 | | |
| 23 | | - | ## Proof of Concept |
| 24 | 30 | | - Image |
| 25 | | - | - Video |
| | 31 | + |  |
| | 32 | + | |
Muhammad Daffa
committed
with
GitHub
1 year ago
1 parent d618747c