Powie's WHOIS Domain Check Persistent Cross-Site Scripting Vulnerability

A persistent cross-site scripting vulnerability has been identified in Powie's WHOIS Domain Check plugin for WordPress, specifically in version 0.9.31. This vulnerability allows authenticated attackers to inject arbitrary JavaScript by exploiting unsanitized input fields in the plugin's settings. The malicious payloads can be submitted through textarea and input elements on the pwhois_settings.php configuration page, enabling the execution of JavaScript in the admin context and potential privilege escalation.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the admin user.

Reproduction

To reproduce this vulnerability, an authenticated user can navigate to the WordPress admin dashboard and access the Powie's WHOIS Domain Check plugin settings page. Once there, the user can inject JavaScript payloads into the vulnerable textarea and input fields, such as 'Show on available domains', 'Show on unavailable domains', 'Show on invalid domain', 'HTML before whois output', and 'HTML after whois output'. After submitting the injected payloads, the JavaScript will be executed when the settings page is revisited.