# Exploit Title: WordPress Plugin IP2Location Country Blocker 2.26.7 - Stored Cross Site Scripting (XSS) (Authenticated)
# Date: 02-02-2022
# Exploit Author: Ahmet Serkan Ari
# Software Link: https://wordpress.org/plugins/ip2location-country-blocker/
# Version: 2.26.7
# Tested on: Linux
# CVE: N/A
# Thanks: Ceylan Bozogullarindan
IP2Location Country Blocker is a plugin enables user to block unwanted traffic from accesing Wordpress frontend (blog pages) or backend (admin area) by countries or proxy servers. It helps to reduce spam and unwanted sign ups easily by preventing unwanted visitors from browsing a particular page or entire website.
The details of the discovery are given below.
# Steps To Reproduce:
1. Install and activate the IP2Location Country Blocker plugin.
2. Visit the "Frontend Settings" interface available in settings page of the plugin that is named "Country Blocker".
3. Check the "Enable Frontend Blocking" option.
4. Choose the "URL" option for the "Display page when visitor is blocked" setting.
5. Type the payload given below to the "URL" input where is in the "Other Settings" area.
6. Click the "Save Changes" button.
7. The XSS will be triggered on the settings page when every visit of an authenticated user.