WP-Ban ban-options.php toggle_checkbox cross site scripting

Vulnerability

The vulnerability resides in the WP-Ban plugin, specifically in the toggle_checkbox function within the ban-options.php file. The $_SERVER["HTTP_USER_AGENT"] value is directly output without sanitization, allowing an attacker to inject arbitrary HTML or JavaScript. The issue affects versions prior to the commit 13e0b1e922f3aaa3f8fcb1dd6d50200dd693fd76. The patch introduces esc_html() to escape the User-Agent value, mitigating the XSS condition [1][2].

Exploitation

An attacker can exploit this by crafting a malicious User-Agent string containing JavaScript or HTML payloads. When an administrator views the ban options page where the User-Agent is displayed, the payload executes in the context of their browser. The attack is remote and requires no authentication, but it does rely on the administrator visiting the vulnerable page. The exploit does not require any special network position beyond the ability to send an HTTP request with a crafted header [1][2].

Impact

Successful exploitation leads to self-XSS, meaning the attacker can execute arbitrary JavaScript within the administrator's browser session. This could result in unauthorized actions being performed on behalf of the administrator, such as modifying plugin settings, exfiltrating sensitive data, or performing other administrative operations. The impact is limited to the administrator's session, but given the elevated privileges of an administrator, this could lead to full site compromise [1][2].

Mitigation

The vulnerability is patched in commit 13e0b1e922f3aaa3f8fcb1dd6d50200dd693fd76, which was merged into the WP-Ban repository on or before the pull request date. Administrators should update to the latest version of the plugin that includes this fix. There are no known workarounds if upgrading is not immediately possible. The vendor has not officially released a numbered version, but applying the patched code is sufficient. The CVE is not known to be in CISA's KEV catalog [1][2].