GhostMail <!-- # Exploit Title: Wordpress Testimonial Slider Stored XSS # Date: 2015/8/31 # Exploit Author: Arash Khazaei # Vendor Homepage: https://wordpress.org/plugins/testimonial-slider/ # Software Link: https://downloads.wordpress.org/plugin/testimonial-slider.1.2.1.zip # Version: 1.2.1 # Tested on: Kali , Iceweasel Browser # CVE : N/A # Contact : twitter.com/0xClay # Email : junkyboy@ghostmail.com # Site : http://bhunter.ir # Intrduction : # Wordpress Testimonial Slider Plugin Have 10,000+ Active Install # And Suffer From A Stored XSS Vulnerability In Slider Name Section . # Authors , Editors And Of Course Administrators Can Use This Vulnerability To Harm WebSite . --> Exploit : For Exploiting This Vulnerability Install Testimonial Slider Plugin Then Create New Slider In Slider Name Input Place Your JavaScript Code After Creating Slider JavaScript Code Will Be Executed . Image POC : Vulnerable Code : <h3><?php _e('Reorder the Posts/Pages Added To','testimonial-slider'); ?> <?php echo $slider['slider_name'];?>(Slider ID = <?php echo $slider['slider_id'];?>)</h3> For Patching : <h3><?php _e('Reorder the Posts/Pages Added To','testimonial-slider'); ?> <?php echo htmlspecialchars($slider['slider_name']);?>(Slider ID = <?php echo $slider['slider_id'];?>)</h3> <!-- Discovered By Arash Khazaei (Aka JunkyBoy) --> This email was sent from Secure GhostMail <https://www.ghostmail.com>. Easy and free encrypted email, chat and cloud storage for everybody. Free sign up now <https://www.ghostmail.com>.