WP-Ban < 1.69.1 - Admin+ Stored XSS

Vulnerability

The WP-Ban WordPress plugin before version 1.69.1 fails to sanitise and escape some of its settings, making it vulnerable to Stored Cross-Site Scripting (XSS). This affects admin-level users who can modify plugin settings; the vulnerability is reachable even when the unfiltered_html capability is disallowed, such as in a multisite configuration [1].

Exploitation

An attacker with admin privileges on a WordPress site running the vulnerable plugin can inject malicious JavaScript into plugin settings fields. The stored payload will be executed when another administrator visits the affected settings page. The attack does not require the attacker to have the unfiltered_html capability, bypassing typical WordPress restrictions [1].

Impact

Successful exploitation leads to Stored XSS, allowing an attacker to perform actions such as stealing session cookies, redirecting users, or modifying page content in the context of the victim administrator's session. The impact is limited to actions available to the logged-in administrator, but could lead to full site compromise if combined with other vectors [1].

Mitigation

Update WP-Ban to version 1.69.1 or later, which fixes the sanitisation issue. The fix was released on an unknown date prior to the disclosure timeline (publicly published 2022-12-06). No workaround is provided; upgrading is the only recommended mitigation [1].