GhostMail    <!--

# Exploit Title: Wordpress Testimonial Slider Stored XSS

# Date: 2015/8/31

# Exploit Author: Arash Khazaei

# Vendor Homepage: https://wordpress.org/plugins/testimonial-slider/

# Software Link:
https://downloads.wordpress.org/plugin/testimonial-slider.1.2.1.zip

# Version: 1.2.1

# Tested on: Kali , Iceweasel Browser

# CVE : N/A

# Contact : twitter.com/0xClay

# Email : junkyboy@ghostmail.com

# Site : http://bhunter.ir

# Intrduction : 

# Wordpress Testimonial Slider Plugin Have 10,000+ Active Install 

# And Suffer From A Stored XSS Vulnerability In Slider Name Section .

# Authors , Editors And Of Course Administrators Can Use This Vulnerability
To Harm WebSite .

  -->

Exploit : 

For Exploiting This Vulnerability Install Testimonial Slider Plugin 

Then Create New Slider In Slider Name Input Place Your JavaScript Code

After Creating Slider JavaScript Code Will Be Executed .

Image POC : 

  

Vulnerable Code : 

<h3><?php _e('Reorder the Posts/Pages Added To','testimonial-slider'); ?>
<?php echo $slider['slider_name'];?>(Slider ID = <?php echo
$slider['slider_id'];?>)</h3>

For Patching : 

<h3><?php _e('Reorder the Posts/Pages Added To','testimonial-slider'); ?>
<?php echo htmlspecialchars($slider['slider_name']);?>(Slider ID = <?php
echo $slider['slider_id'];?>)</h3>

<!-- Discovered By Arash Khazaei (Aka JunkyBoy) -->

 This email was sent from Secure GhostMail <https://www.ghostmail.com>.
Easy and free encrypted email, chat and cloud storage for everybody. Free
sign up now <https://www.ghostmail.com>.