5
[webapps] WordPress Plugin Netroics Blog Posts Grid 1.0 - Stored Cross-Site Scri...
source link: https://www.exploit-db.com/exploits/51008
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
WordPress Plugin Netroics Blog Posts Grid 1.0 - Stored Cross-Site Scripting (XSS)
EDB-ID:
51008
EDB Verified:
# Exploit Title: WordPress Plugin Netroics Blog Posts Grid 1.0 - Stored Cross-Site Scripting (XSS)
# Date: 08/08/2022
# Exploit Author: saitamang, syad, yunaranyancat
# Vendor Homepage: wordpress.org
# Software Link: https://downloads.wordpress.org/plugin/netroics-blog-posts-grid.zip
# Version: 1.0
# Tested on: Centos 7 apache2 + MySQL
WordPress Plugin "Netroics Blog Posts Grid" is prone to a stored cross-site scripting (XSS) vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. WordPress Plugin "Netroics Blog Posts Grid" version 1.0 is vulnerable; prior versions may also be affected.
Login as Editor > Add testimonial > Under Title inject payload below ; parameter (post_title parameter) > Save Draft > Preview the post
payload --> user s1"><img src=x onerror=alert(document.cookie)>.gif
The draft post can be viewed using other Editor or Admin account and Stored XSS will be triggered.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK