CVE-2020-37225

What the vulnerability is

Powie's WHOIS Domain Check plugin for WordPress version 0.9.31 suffers from a persistent cross-site scripting (XSS) vulnerability. The plugin fails to sanitize user input in multiple fields on the pwhois_settings.php settings page. Specifically, textarea elements that display options like "Show on available domains" (display-on-free), "Show on unavailable domains" (display-on-connect), and "Show on invalid domain" (display-on-valid) directly echo stored options without escaping [1]. This allows an attacker to close the textarea tag with `` and inject arbitrary HTML and JavaScript [1].

How it is exploited

The attacker must be authenticated to access the plugin settings page. A lower-privileged WordPress user (such as a subscriber or editor) can craft a payload that closes the vulnerable textarea element and includes a JavaScript payload. Since the output is stored and rendered in the admin interface, the malicious script executes when an administrator views the affected settings page [1]. No other special network position or user interaction is required beyond the administrator's normal page load.

Impact

Because the injected script runs in the admin context, the attacker can perform actions that the admin can, such as creating new administrator accounts, modifying site content, or installing malicious plugins. This effectively allows an attacker to escalate their privileges from a low-level user to full site administrator [1][4].

Mitigation status

Users should update to a version newer than 0.9.31; the vendor's changelog indicates fixes [1]. As of the publication date, the vulnerability is publicly documented in Exploit-DB and tracked by VulnCheck [1][4].