WordPress IP2Location Country Blocker Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the WordPress IP2Location Country Blocker plugin, specifically in version 2.26.7. This vulnerability allows authenticated users to inject arbitrary JavaScript into the Frontend Settings interface. The injected scripts are executed when administrators or other authenticated users access the plugin settings page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user visiting the settings page.

Reproduction

To reproduce this vulnerability, install and activate the IP2Location Country Blocker plugin version 2.26.7. Navigate to the 'Frontend Settings' interface of the plugin. Enable the 'Frontend Blocking' option and select the 'URL' option for the 'Display page when visitor is blocked' setting. Inject a script payload into the 'URL' input in the 'Other Settings' area and save the changes. The injected script will execute when the settings page is visited by an authenticated user.