WordPress Plugin IP2Location Country Blocker 2.26.7 - Stored Cross Site Scripting (XSS) (Authenticated)

# Exploit Title: WordPress Plugin IP2Location Country Blocker 2.26.7 - Stored Cross Site Scripting (XSS) (Authenticated)
# Date: 02-02-2022
# Exploit Author: Ahmet Serkan Ari
# Software Link: https://wordpress.org/plugins/ip2location-country-blocker/
# Version: 2.26.7
# Tested on: Linux
# CVE: N/A
# Thanks: Ceylan Bozogullarindan


# Description:
IP2Location Country Blocker is a plugin enables user to block unwanted traffic from accesing Wordpress frontend (blog pages) or backend (admin area) by countries or proxy servers. It helps to reduce spam and unwanted sign ups easily by preventing unwanted visitors from browsing a particular page or entire website.
An authenticated user is able to inject arbitrary Javascript or HTML code to the "Frontend Settings" interface available in settings page of the plugin (Country Blocker), due to incorrect sanitization of user-supplied data and achieve a Stored Cross-Site Scripting attack against the administrators or the other authenticated users. The plugin versions prior to 2.26.7 are affected by this vulnerability.


The details of the discovery are given below.

# Steps To Reproduce:
1. Install and activate the IP2Location Country Blocker plugin.
2. Visit the "Frontend Settings" interface available in settings page of the plugin that is named "Country Blocker".
3. Check the "Enable Frontend Blocking" option.
4. Choose the "URL" option for the "Display page when visitor is blocked" setting.
5. Type the payload given below to the "URL" input where is in the "Other Settings" area.

http://country-blocker-testing.com/test#"'><script>alert(document.domain)</script>

6. Click the "Save Changes" button.
7. The XSS will be triggered on the settings page when every visit of an authenticated user.