CVE-2022-50961

Vulnerability

Overview

The IP2Location Country Blocker WordPress plugin, version 2.26.7, contains a stored cross-site scripting (XSS) vulnerability in its Frontend Settings interface. The plugin fails to properly sanitize user-supplied input in the URL field of the Display page settings, allowing authenticated users to inject arbitrary JavaScript or HTML code [1][2]. This input is stored and later rendered without adequate escaping when the settings page is viewed by other authenticated users, including administrators [2].

Exploitation

Details

An attacker must have an authenticated account on the WordPress site (e.g., a subscriber or higher role) to access the plugin's settings page. The attack requires the attacker to enable the "Frontend Blocking" feature, select the "URL" option for the blocked visitor display page, and then insert a malicious payload into the URL input field [2]. The payload is stored in the database and executed each time an authenticated user visits the plugin's settings page, making it a stored XSS that does not require any additional user interaction beyond the page load [3].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive information such as cookies or authentication tokens. The attack targets administrators and other authenticated users who have access to the plugin settings, potentially compromising the entire WordPress installation [2][3].

Mitigation

The vulnerability affects plugin versions prior to 2.26.7. Users should update to the latest version of the plugin, which includes proper input sanitization and output escaping for the URL field. No workaround is available other than disabling the plugin or restricting access to the settings page [1][3].