Injection Guard WordPress Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Injection Guard plugin for WordPress, affecting all versions up to and including 1.2.9. The issue arises from inadequate input sanitization in the 'sanitize_ig_data()' function, which only sanitizes array values but neglects array keys. This flaw is compounded by a lack of output escaping in the 'ig_settings.php' template, where stored parameter keys are directly echoed into HTML. When a request is made, the plugin captures the query string via the server's 'QUERY_STRING' variable, applies 'esc_url_raw()' (which retains URL-encoded special characters), and then passes it to 'parse_str()', resulting in decoded HTML or JavaScript in the array keys. These keys are stored using 'update_option('ig_requests_log')' and later displayed on the admin log page without proper escaping. Consequently, unauthenticated attackers can inject arbitrary scripts that execute when an administrator views the Injection Guard log interface.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected log.

Reproduction

To reproduce this vulnerability, send a request to a WordPress site with a query string that includes malicious JavaScript or HTML in the parameter names. The Injection Guard plugin will log these parameters. Then, access the Injection Guard log interface as an administrator to trigger the execution of the injected script.

Remediation

Users are advised to update the Injection Guard WordPress plugin to version 1.3.0 or later, where this vulnerability has been patched.