Maspik - Advanced Spam protection < 2.1.3 - Admin+ Stored XSS

Vulnerability

The Maspik WordPress plugin before version 2.1.3 fails to sanitize and escape some of its settings, creating a stored Cross-Site Scripting (XSS) vulnerability. The vulnerable code path is reachable when an administrator accesses the plugin's settings page and modifies the affected fields. The issue persists even when the WordPress unfiltered_html capability is disallowed for administrators [1].

Exploitation

An attacker requires administrative access to the WordPress site. The exploitation sequence is straightforward: the attacker navigates to the Maspik plugin settings, inserts malicious JavaScript payloads into the unsanitized setting fields, and saves the configuration. No additional user interaction is needed; the payload is stored and executed automatically whenever the settings are rendered, typically on the plugin's admin pages [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the WordPress admin dashboard. This can lead to session hijacking, defacement, theft of sensitive information, or further privilege escalation. The impact is limited to the admin interface, but an attacker could leverage the XSS to perform actions on behalf of other administrators or inject malicious content into site responses [1].

Mitigation

The vulnerability is fixed in version 2.1.3 of the Maspik plugin. Administrators should update to this version or later immediately. No official workaround has been published, and the plugin repository reflects the fixed version [1].